Government & Policy

The lifecycle of PHI and mobile device insecurity

By Rick Kam
June 18, 2012
08:44 AM

Mobile devices have become notorious for unintended exposure of protected health information (PHI).

Between September 22, 2009, and May 8, 2011, for instance, mobile devices were the cause of exposing the PHI of more than 1.9 million patients, a statistic cited in The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security, a seminal report by the American National Standards Institute (ANSI), The Santa Fe Group/Shared Assessments Program Healthcare Working Group, and the Internet Security Alliance (ISA).

The term “mobile device” is often synonymous with a cell phone. But, as AHIMA notes, mobile devices span the spectrum of form, wireless accessibility, and processing capabilities to include everything from thumb drives and external hard drives to smartphones, tablets, and laptops.

[Related: The 5 (PHIve) steps you can take now to protect PHI.]

Healthcare professionals are rushing to take advantage of the variety of mobile devices: a survey of nearly 3,800 physicians by QuantiaMD estimates that “83 percent of physicians own at least one mobile device and about one in four doctors are ‘super mobile’ users who leverage both smartphones and tablet computers in their medical practices.” It’s almost certain that the rapid adoption of electronic health records (EHRs) is accelerating the use of mobile devices in medicine.

Mobile devices offer convenience and almost unlimited applicability to doctors and other medical professionals — communicating with patients, collaborating with colleagues (telemedicine), ordering drugs, and inputting patient data during visits, to name a few. On the consumer side, patients use mobile technology to access to their medical information, to refill prescriptions, or make appointments.

The increased use of mobile devices in medicine is causing headaches for security and privacy professionals. But the risks are as varied as the devices themselves. A careful analysis reveals security weaknesses at many levels.

“Never Leave Home without It”
This old-but-famous American Express slogan applies to our society’s mentality about mobile devices. David Allen, CTO of Locaid, says that people feel more “attached” to their phones than their wallets. With all the functionality, apps, and data a smartphone provides, these devices have become a virtual representation for their owners.

And this virtual representation has extended to the workplace. The bring-your-own-device (BYOD) phenomenon is just that, a phenomenon. Many people do little or nothing to protect their devices. Passcodes, encryption, and other security measures are often beyond the scope of convenience.

If you build it, is it secure?
On the other hand, mobile devices were designed largely for consumer use, and as the ANSI report points out, lack the “mature security controls” of large computer systems. Low-security devices are used to access PHI on high-security networks. The inability of a covered entity to manage the use of PHI on a mobile device can cause privacy incidents, according to AHIMA. The portable nature of mobile devices also means they are easy to lose or steal. Unencrypted data on unsecured devices—data either stored “onboard” or on a SIM card — are vulnerable to exposure.

Applications are another vulnerability. In the article, Mitigating PHI Danger in the Cloud, we discussed the security concerns of cloud-level applications. These same concerns apply to applications for mobile devices. Thousands of mobile healthcare applications are available for the iPad, many of which enable access to ePHI. For these applications, however, security is what the developer decides it will be — not what the user needs it to be.

The lifecycle of insecurity
Technology development—for both devices and applications—tends to follow a lifecycle. Vendors encourage rapid adoption to boost innovation. Security becomes an issue only when that technology has becomes a part of everyday life. For healthcare, where security is of prime importance, this backwards approach is troubling.
To protect patients, financial consumers, and the public at large, developers have the responsibility to reverse the cycle and implement a “security by design” strategy. It’s not impossible. Phones, tablets, and other devices are fast and efficient enough to enable built-in security that is activated when the device is powered up. Ideally, this security should be embedded at all levels—hardware, operating system, and applications.

What a covered entity can — and must — do
The latest Ponemon benchmark study on patient privacy and data security reports that while 81 percent of respondents use mobile devices to gather, store, and/or transmit PHI, nearly half say that their organization does nothing to protect mobile devices. Given the human need for convenience and the immature security technology, it’s easy to see why many covered entities have little or no policies regarding the use of mobile devices in handling PHI. 

[Q&A: How a health 'data spill' could be more damaging than what BP did to the Gulf.]

At the same time, HIPAA and HITECH regulations, not to mention state laws, put strict safeguards around the handling of PHI. With the HHS’ Office of Civil Rights stepping up enforcement, covered entities have good reason to implement the most comprehensive privacy and security policies they can—including those that cover the use of mobile devices.

The best policies, of course, are based on the organization’s commitment to protecting patients’ health and sensitive information. Demonstrating good intent is the best way to achieve compliance in an era of tightening regulations and increasing use of mobile technology in healthcare.
 

Rick Kam, CIPP, is president and co-founder of ID Experts. Rick is also chairing the “PHI Project,” a research effort to measure financial risk and implications of data breach in healthcare, led by the American National Standards Institute (ANSI), via its Identity Theft Prevention and Identity Management Standards Panel (IDSP), in partnership with the Shared Assessments Program and the Internet Security Alliance (ISA).

Topics: 
Government & Policy

More regional news

Capitol rotunda at sunset

Congress releases AI policy blueprint

By
Andrea Fox
December 20, 2024
Epic booth at HIMSS global conference

Epic files to dismiss antitrust lawsuit

By
Andrea Fox
December 20, 2024
Representatives of NUS Medicine, Kailuan General Hospital, Tianjin Medical University, and Tianjin Medical University General Hospital pose after signing their MOU

Chinese hospitals join NUS Medicine's big health data project

By
Adam Ang
December 19, 2024
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Capitol rotunda at sunset
Congress releases AI policy blueprint

Most Read

White House OMB is reviewing proposed cybersecurity updates to HIPAA
NHS to roll out radiology AI across 10 health trusts
Oracle Health to apply for QHIN status
Medtronic dismissed from pulse oximeter lawsuit, FDA still working on guidance
Epic APIs move to USCDI v3
Can the ACO Primary Care Flex Model help link physical and mental healthcare?

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

Video

John Saran at Holland & Knight_Modern office buildings in London Photo by Tim Grist Photography/Moment/Getty Images
PE and healthcare investment: What's next for 2025
Sponsored by
Healthcare worker talking to patient
New infusion pumps may help lighten nurses’ workload
Dr Chien-Tzung Chen 4t Linkou Chang Gung Memorial Hospital_HIMSS24 APAC
Linkou Chang Gung Memorial Hospital eyes remote patient monitoring at home
Dan Torrens at eHealth Technologies_Blockchain in healthcare concept Photo by ArtemisDiana/iStock/Getty Images Plus
Getting providers from point A to B

More Stories

Dr. Eric Liederman, CEO of CybersolutionsMD
Q&A: CybersolutionsMD CEO on preventing cyberattacks
Change healthcare booth
Nebraska sues Change Healthcare over ransomware attack
Vijayashree Natarajan of Omega Healthcare on AI
Three for 2025: data security, cancer informatics and agentic AI
Capitol Hill
Congress looks set to extend telehealth and hospital-at-home flexibilities
Josh Di Frances at LG NOVA_Top down view of startup team Photo by NanoStockk/iStock/Getty Images Plus
What a startup pitch competition shows about IT innovation
Ravi Teja Karri of Froedtert Health on AI
Using AI and ML in predictive analytics for bed demand forecasting
Abstract image of AI brain and technology
ASTP updates HHS AI Use Case Inventory for 2024
Female doctor on laptop smiles at patient in foreground who is taking notes
Report shows overwhelming doctor support for virtual care