Mobile Security at Physician Practices: What to Consider

Mobile devices are great for physicians on the go. They’re also more likely to get lost or stolen than most anything else.

The patient data that resides on your phone could put your practice at risk for HIPAA security violations, which include stiff fines and plenty of embarrassment.

Also, in its 455-page proposed rule outlining the requirements for Stage 2 of its meaningful use EHR incentive program, CMS has set the objective for providers to secure data “at rest” regardless of the device it’s on. That means any patient data that is transmitted via a mobile device must be locked down, at the very least password protected.

So how does a practice get started on securing everything mobile?

At Thursday’s mHIMSS Virtual Conference put on by the Healthcare Information and Management Systems Society (HIMSS), speaker Jason Zellmer, director of strategy and information management at Kaiser Permanente, offered a basic overview of what practices and other healthcare organizations should do during his session “The Future of Mobile Technologies and mHealth: Staying Securely Connected.”

When it comes to a practice looking at the devices it is going to support - meaning, the devices it will allow physicians and staff to use to access practice information - security aspects of those devices must be addressed independently.

“You have to look at, are you going to buy those devices, or are you going to support individuals bringing in those devices to your network,” said Zellmer. “The type of security you need depends on the device you get. You need to develop a security system based on the devices you are going to use, which is a consideration in terms of cost. “

The first step in implementing mobile security for certain devices is to consider the risks that these devices present.

“Whenever you decide to undertake building a mobile website or application, you really have to think about what can happen and put security controls around that risk,” he said, noting that even the best security application isn’t 100 percent “risk free.”

According to Zellmer, two of the biggest risks include data loss (both physical loss of data when a device is stolen or lost, as well as data being wiped due to a virus or malware) and identity theft.

“The stealing of credentials, meaning user name and password, has become very popular as an entry point for hackers,” said Zellmer, adding that once hackers are into your system, they can launch an assault of attacks.

Once risks are assessed, a practice can start to implement security processes.

But first, a practice should look at how its staff and physicians are using mobile devices. Common uses of iPads, for example, include remote network access to enterprise systems (such as through a mobile EHR app), e-mail and calendar use, and productivity applications. Needless to say, many of these applications deal with patient-sensitive data, and will need to be supported by your security system.

“When you look at things like note-taking, to-do lists, you might not think of it, but often times they have sensitive data on them,” he said. “Video and telemedicine is a huge use case that our [patient] population is interested in. Can we use Facetime to interact with our clients? What are the dangers of that?”

After doing an assessment of security risk, in-house or contracted application developers (depending on the size of your practice) can take a closer look at security options based on these risks.

It’s important to consider that an even greater level of security and legal risks are introduced when employees are allowed to use their personal mobile devices (rather than ones provided by the practice) to access business information (including patient data).

For starters, dual use of a device for personal and professional purposes limits company’s ability to restrict undesirable/malicious app usage.

“Consider malicious applications when considering what operating systems you want to support,” said Zellmer. “There definitely advantages and disadvantages to [each operating system].”

In addition, if a personal device is lost, and a practice were to use a remote-data-wiping program to erase patient-sensitive data, personal data such as Dr. Brown’s photos of his daughter would get wiped in the process.

“There have been cases of people suing the company because the company not only wiped out the work data, but also the personal data,” Zellmer said.

For more on securing mobile data at your medical practice, check out our recent HIMSS12 video ("Properly Securing Patient Data") with IT expert and consultant Tom Walsh.