If you build it, is it secure?
On the other hand, mobile devices were designed largely for consumer use, and as the ANSI report points out, lack the “mature security controls” of large computer systems. Low-security devices are used to access PHI on high-security networks. The inability of a covered entity to manage the use of PHI on a mobile device can cause privacy incidents, according to AHIMA. The portable nature of mobile devices also means they are easy to lose or steal. Unencrypted data on unsecured devices—data either stored “onboard” or on a SIM card — are vulnerable to exposure.
Applications are another vulnerability. In the article, Mitigating PHI Danger in the Cloud, we discussed the security concerns of cloud-level applications. These same concerns apply to applications for mobile devices. Thousands of mobile healthcare applications are available for the iPad, many of which enable access to ePHI. For these applications, however, security is what the developer decides it will be — not what the user needs it to be.
The lifecycle of insecurity
Technology development—for both devices and applications—tends to follow a lifecycle. Vendors encourage rapid adoption to boost innovation. Security becomes an issue only when that technology has becomes a part of everyday life. For healthcare, where security is of prime importance, this backwards approach is troubling.
To protect patients, financial consumers, and the public at large, developers have the responsibility to reverse the cycle and implement a “security by design” strategy. It’s not impossible. Phones, tablets, and other devices are fast and efficient enough to enable built-in security that is activated when the device is powered up. Ideally, this security should be embedded at all levels—hardware, operating system, and applications.
What a covered entity can — and must — do
The latest Ponemon benchmark study on patient privacy and data security reports that while 81 percent of respondents use mobile devices to gather, store, and/or transmit PHI, nearly half say that their organization does nothing to protect mobile devices. Given the human need for convenience and the immature security technology, it’s easy to see why many covered entities have little or no policies regarding the use of mobile devices in handling PHI.
At the same time, HIPAA and HITECH regulations, not to mention state laws, put strict safeguards around the handling of PHI. With the HHS’ Office of Civil Rights stepping up enforcement, covered entities have good reason to implement the most comprehensive privacy and security policies they can—including those that cover the use of mobile devices.
The best policies, of course, are based on the organization’s commitment to protecting patients’ health and sensitive information. Demonstrating good intent is the best way to achieve compliance in an era of tightening regulations and increasing use of mobile technology in healthcare.
Rick Kam, CIPP, is president and co-founder of ID Experts. This article first appeared on Government Health IT on June 18, 2012. Rick is also chairing the “PHI Project,” a research effort to measure financial risk and implications of data breach in healthcare, led by the American National Standards Institute (ANSI), via its Identity Theft Prevention and Identity Management Standards Panel (IDSP), in partnership with the Shared Assessments Program and the Internet Security Alliance (ISA).