There's also another much worse security piece of bad news: The nature of mobile apps, with all of their interdependent parts, has opened a huge number of security problems, which have caught many large companies unaware. Starbucks' app stored all passwords in clear-text, meaning that a thief could find the password and use it. Walmart's mobile app also stored passwords (courtesy of how it implemented iTunes backup) as well as extensive geolocation history. Walgreens encouraged shoppers to take pictures of prescription labels -- and then those images were saved so anyone could see them, a serious violation of medical privacy. Delta Airlines properly encrypted passwords but it also saved its encryption key on the device -- in clear-text.

The key point with all of those large companies is that none of them knew about those mobile app security holes before outside security researchers told them, long after those apps were in wide circulation. Hospital groups are equally exposed. Even if the app passwords were encrypted, IT must make sure that the encryption keys are also protected. 

This also means that a misplaced, lost or stolen mobile device must not only trigger an immediate remote wipe, but also an immediate change of any associated passwords. 

That process doesn't start, though, until the device is reported lost, which itself relies on the physician noticing that the device is missing. A several-hour delay could be disastrous. One possibility is for physicians to carry a very small device (likely with an RFID tag) somewhere on their person (shirt pocket, for example) that would track the mobile device and digitally shout whenever it's more than XX feet from the device. That shout could be a text and e-mail to the doctor, an assistant plus someone in IT. 

The rural network challenge

The approach of not storing data locally on mobile devices is fine in a hospital setting or the doctor's Wi-Fi-enabled offices. But in rural settings where Wi-Fi and over-the-air network access might be spotty, the argument can be made that much more data needs to stay resident on that mobile device, to help the physician do his/her medical magic. 

Robert Zimmerman is the managing director for health information technology at QIP, a healthcare regulatory compliance company. Zimmerman's position is that the easiest and best route is minimalism. If a physician is visiting a patient, he or she should take the time to select only the files needed for that visit and store only those, he says. And then after that visit, delete the files. 

"What is the real value to patient care? We have technologists trying to tell us to use technology for all of these decisions," Zimmerman said. "The IT people need to understand the true value proposition. There is a huge bias on data and big data. What's the quality of the data? (Doctors) are definitely bringing too much. Evaluate what you really need."

Zimmerman added that far too many people IT people don't fully understand HIPAA implications.

He also suggested that it's often acceptable to bring no sensitive medical files for a patient visit and to instead take extensive notes. Then compare those notes to the medical records a couple of hours later when the physician is either back in the office or at least is able to access the network. 

"As a doctor, I am going to take the security risk," said Zimmerman. "What's the trade-off? Can I do without those files for an hour or two?"