Mobile Device Security – Why it Matters

Mobile device security for telehealth applications is now a necessity.

Many of the health-centric behaviors once tied to the desktop are now performed remotely on a handheld digital device. For example:

• Increasingly, patients are researching your practice on their smartphone before scheduling a visit.
• Many hospitals now offer smartphone friendly patient portals that allow registration, scheduling, and even bill payment.
• New smartphone apps are reducing the time it takes to discharge patients from the emergency room.
• Telehealth visits are increasing; more than half of all American hospitals are providing the service, which patients can access from any digital device.

HealthTech points out that the mobile healthcare market will grow to $19 billion by 2021, clearly showing that patients are tied to their smartphones in new and ever-invasive ways. But how secure are these devices and the applications your customers are using to increase access to their clinical care?

It’s true that most healthcare entities today leverage the smartphone. Whether it’s allowing bring-your-own-device (BYOD) for clinical teams or telehealth applications that leverage the technology, healthcare providers around the world have embraced the cell phone as a useful tool for providing care and communication.

The HIPAA Journal has tracked the growth of our mobile device usage by healthcare professionals:

• 81% of all doctors use their smartphones in their clinical practice.
• 31% use an organization-created mobile app; another 30% are having one developed.
• 38% of healthcare providers have a system in place to send secure text messages.
• This year, 65% of all interactions with healthcare facilities will be by a mobile device.

But when healthcare is conducted via a smartphone, it is a necessity that the data is protected and HIPAA compliance assured. The HIPAA Journal points out the obvious dilemma:
Unfortunately, while mobile healthcare devices are convenient, they are not without their risks. With hundreds of thousands of mobile devices now requiring access to a healthcare network, it is no surprise that mobile data security and HIPAA compliance have become two of the biggest concerns for CIOs, CISOs, Compliance Officers and health IT professionals.”

How can clinical providers and their patients make use of this technology while still keeping their health-related records safe? The answer is to follow the HIPAA Security Rules.

HIPAA compliance is usually the first reason to be concerned with mobile device security. Heavy fines can result if healthcare providers fail to apply adequate mobile data security procedures into their telehealth programs.

While the HIPAA Privacy Rule was designed to protect the patient right to privacy, the HIPAA Security Rule was created to protect electronic personal health information (e-PHI). Here are some crucial points from the HIPAA Security Rule to help guide your efforts for mobile device security:

• One of the most important HIPAA Security Rules is to conduct a vulnerability assessment as part of an IT architecture review. Understanding physical security controls, as well as firewalls, anti-virus and anti-malware programs, user authentication, and password controls are all crucial to recognizing vulnerabilities that could lead to a breach.
• Encryption is another security rule that is mandatory today for any health-related electronic transmission over the Internet. The University of Arizona says, “This is one of the best ways to secure patient data.” Encrypted data is scrambled so if it falls into the wrong hands, it simply cannot be accessed. Regular text messaging is simply not enough; SMS messages are not encrypted or secure.
• Another way to ensure the protection of user and provider interactions is through user authentication to help a prevent data breach. Verifying the end user can occur in three ways:–Knowledge-based authentication, such as requiring a PIN or password;
  –Device-related authentication, requiring the end user to swipe an identifier such as an employee access code token.
  –Biometric authentication that uses a fingerprint or other physiological or behavioral, such as a signature, can also work well.

One caveat to these HIPAA requirements is that many of these rules were finalized in 2003, so they should serve primarily as a baseline for mobile device security.

Threats to data security are on the rise and the techniques that hackers use to exploit vulnerable devices are constantly evolving. Some additional security measures that can (and should) be undertaken include:

• Staff training that works to build a culture of cybersecurity throughout an organization.
• Data tracking that physically watermarks e-PHI so that it can be followed in case of a breach.
• Mobile device management that includes security certification of the devices accessing your network.
• For staff smartphones, having the ability to remotely erase their data if the device is stolen.
• Frequent backups and security software upgrades that encompass responses to all of the latest threats.
• Control of unregulated applications.

Organizations such as the National Institute of Standards and Technology take up where HIPAA leaves off. They offer healthcare providers a guideline for protein e-PHI in the Internet age.

A recent study showed doctors and patients perceived m-health or telehealth practiced via a smartphone, improved real-time patient monitoring and access to care as well as convenience. As smartphones are increasingly worked into our daily lives the risk of data exposure via the loss of the device or a hacked application, increase. But a study in the International Journal of Telerehabilitation showed that PHI breaches account for 78% of all healthcare security flaws.

So, how can a telehealth vendor ensure that our data will remain secure? While business applications like Skype or GoToMeeting are not typically HIPAA compliant, today’s telehealth applications were not only designed for the smartphone, they were created in the secure environment guided by HIPAA compliance. Look for a telehealth vendor that:

• Provides customization to fit your unique healthcare setting.
• Follows all HIPAA compliance rules.
• Uses cloud technology to provide real-time security updates to existing security features.
• Offers training in how to safely use the technology.

OrthoLive offers clinical providers in the orthopedic specialty a secure, HIPAA-compliant, mobile-friendly telehealth service. Contact us today to talk about how our application can help your practice stay current while keeping your data secure.