Data Protection Tips for Medical Practices Using Mobile Devices

February 25, 2014

Mobile devices bring great benefits to healthcare, but they also pose great risks. Here's how to mitigate those risks.

Mobile devices bring great benefits to healthcare, from increasing physician access to patient information to streamlining communication. But they also pose great risks.

If a mobile device is lost or stolen, the data stored on the device, such as patients' protected health information (PHI) or a physician's log in information to a secure practice server, can be compromised.

During a presentation at this year's Healthcare Information and Management Systems Society (HIMSS) Conference in Orlando, Fla., entitled "Securing Patient Data in a Mobilized World," Andrea Bradshaw, general manager of mobility solutions at technology products and services firm CDW and Sadik Al-Abdulla, security practice director at the firm, identified some of the major security risks mobile devices pose, as well as some of the key safeguards practices should take to mitigate those risks.

Risks to PHI include insider threats (such as when a disgruntled employee sends such information to his personal e-mail), accidental breaches (such as when a staff member misplaces her smartphone or tablet that contains protected health information), and malicious attacks (such as when an external threat accesses practice servers), said Al-Abdulla.

"The simple reality is that health systems have a tremendous amount of valuable data," he said, pointing to patients' names, dates of birth, addresses, and social security numbers. “That’s exactly what you need to falsify an identity; that's exactly what the criminals need to monetize the records."

Despite the risks mobile devices pose, prohibiting their use at your practice is not the right move. According to a recent poll cited by Al-Abdulla, 72 percent of internal medicine doctors said that mobile devices improve their productivity, and 58 percent said it improved their collaboration with their staff.

"There’s a growing expectation for support of mobile devices in the clinical setting," said Bradshaw. "You don’t want to be one of those providers that can’t provide the tools to effectively enable your workforce."

As your practice seeks to find balance between mobility and security, Bradshaw and Al-Abdulla recommend crafting a comprehensive mobile strategy. This strategy should address network security (including firewall, authentication, and access control), device security (including device management, remote wipe, and tracking), and the data (including data security, encryption, and storage).

"All too often we see folks try to solve this in one of the three pillars that open themselves to risk by not dealing with the other three," said Al-Abdulla.

In addition to addressing network security, device security, and data security, a good mobility strategy must have a defined plan for engagement from stakeholders (including physicians), and have provisions for life-cycle management, said Bradshaw.

It should also include mobile device management (MDM), which helps health systems secure, monitor, and manage mobile devices. A good MDM includes device enrollment, certification, policy enforcement capabilities, and encryption, she said. The good news is that many vendors provide MDM at reasonable price-points, said Al-Abdulla.

Here are a few other key items Bradshaw recommended practices include in their mobile strategy:
• Documented procedures for addressing both the use and misuse of devices;
• Requirements regarding staff and physician training on the proper use of devices;
• And clear guidance regarding how physicians and staff will be held accountable for noncompliance.

Also, make sure you have a plan to continually address mobile device use and update policies and procedures accordingly.

"Every part of this should have continuous monitoring designed into it from the very beginning ..." said Al-Abdulla. "At any given frozen point in time, it's actually fairly easy to be secure. As the system changes, unless you've designed continuous monitoring in it from the very beginning, you will break down and fail."