Embracing Security Challenges

 Over the past year, the perception of mobile technology in healthcare has changed dramatically.  mHealth is now being recognized as a tool that can help address the challenges our healthcare system is facing, including a shortage of caregivers, an influx of newly insured patients, decreased reimbursements and readmission penalties.  Historically, there have always been barriers that kept hospitals from making the leap to mobility – lack of infrastructure, costs, or the fear of security breaches, among other reasons. Yet as mobile technology becomes deeply ingrained in our day-to-day work and social lives, healthcare is following suit and migrating toward mobility as a component of care delivery.

However, concerns about security remain at the forefront.   According to data from the Department of Health and Human Services (HHS), more than 41 million people have had their protected health information compromised in a reportable HIPAA privacy or security breach.  Additional data from the 2014 Healthcare Breach Report from Bitglass suggests that 68 percent of all healthcare data breaches are due to device theft or loss and 48 percent of breaches involve a laptop, desktop or mobile device.

As a former military physician, information security was always a top priority as we adopted technology, such as electronic medical records and telehealth systems, which improved our access to patients and their information.  The healthcare industry as a whole is now adopting mobile technology to further improve our ability to evaluate and treat patients across the care continuum.  However, information security is not always treated as a priority during this adoption.

Mobile technology creates a fast-growing number of access points to view and share patient data, which presents potential gaps in privacy and information security.  These gaps can be addressed by adding multiple security layers, such as multifactor authentication, rigorous audit trail transactional monitoring for both the applications as well as the operating system and advanced encryption. In addition, common-sense actions such as requiring complex passwords, setting password expiration dates, not storing PHI on the device outside of an active, authenticated session and not allowing unsecured texting of patient information should be a part of any mobile device security strategy.

As mobile technology becomes the norm for accessing and interacting with patient data, additional guidelines and standards will be needed.  An example of an emerging security capability is biometric scanning, which is available today on some devices.  Instead of relying on a secured password or device, incorporating a fingerprint scan in order to unlock a device or log on to an application can prevent unauthorized access.

However, the mHealth industry can lead the way in cybersecurity and should challenge itself to go further. Why just settle for proprietary mobile device management (MDM) protocols? For example, the Defense Department now requires defense and military systems to go through the risk management framework developed by the National Institute of Standards and Technology. This cybersecurity terminology for defense and civilian networks sets a gold standard to which mHealth platforms and applications should aspire.

Security standards are a critical component of a mobile health strategy; however, they cannot be developed in isolation.  The effect of these measures on patient satisfaction, outcomes, clinician workflow and user experience are equally important.  Ultimately, by connecting multiple sources of patient data across the care continuum, interfaces will work together to provide a common, interoperable framework to securely provide clinicians with the right data at the right time to improve patient outcomes at the point of care.  A successful mobile health platform must address both the opportunities and the potential security risks when building mobility ecosystems.