What are the risks involved in using mobile devices to access patient data on it?

In today‚Äôs Information Age, smartphone and tablets have so much processing power that they are no less than a computer for all essential purposes. We now use them for daily usual activities, including searching web, accessing financial accounts, shopping, and communication and even editing documents and performing work related tasks. We even access many EHR related functionalities on the mobile devices. When we access EHR functionalities, e.g. eRx, Chart notes, etc., we bring in patient health information on the mobile device. When the patient’s health information comes on the mobile devices, it raises concern about the security of protected health information (PHI). We need to protect and secure this patient data as the patients have entrusted us to protect their health information.

According to Department of Health and Humar Services (DHHS), the HIPAA Security Rule outlines national standards designed to protect individuals’ electronic protected health information (ePHI) that is created, received, used or maintained by a covered entity.[3] The mobile devices store the data on itself in one of the two ways, a) within the computer internal storage, b) within the external storage card to SIM. The device retains a record of the data accessed on one of these two storage area.

Most people think that since the mobile device has a password lock, it is protected but that is not enough. There are many risks that are related to mobile devices security:

  1. Lost or Stolen Mobile Device. Mobile devices are vulnerable to theft because of small size and portability. If you mobile device is used to access EHR software, the patient data can be present at different locations in your device. It could be in phone storage or on external storage card. The password lock is not enough to protect this information then. The thief can directly access the storage card and access the patient related data on it. Some of the password (particularly 4 digits or pattern lock) are not secure enough. With a simple program, the thief can easily run multiple combinations and get access to the pass code.
  2. Download virus or malware on device. You use you mobile device for searching web and accessing multiple other entertainment information online. If you are not careful, you can easily download virus or malware on you device while downloading a song or a pic or just by accessing a “bad” website. This virus or malware can then start tracking all your keystrokes and can potentially get access to your passwords for multiple websites or email accounts. This could be really bad ultimately leading to Identity Theft and of course access a lot more than the patient health data on the mobile device.
  3. Unsecured Wi-Fi network. When you access an unsecured Wi-Fi network, all your data that is floating through the network (web), can potentially be hacked by someone who knows the Wi-Fi systems and aims to capture your data. There are instructions on web as how to access these data for anyone to learn and use. This makes it easy for anyone to potentially hack into your device if you are accessing web on a unsecured Wi-Fi network.
  4. No encryption. Typically the data on mobile devices are no encrypted. Thus, the ePHI stored on mobile device can be accessed by anyone with access to the mobile device.

You may now feel that I can never access EHR on mobile device. But with some safeguards, you can easily protect patient’s health information while accessing EHR functionalities on a mobile device. These are listed below. We go over them in detail in upcoming blogs one by one with examples and recommended apps to achieve those safeguards on mobile devices

  1. Set a strong alphanumeric password or biometric authentication.
  2. Encrypt the device
  3. Use automatic log off feature in most of the sensitive apps on your phone (particularly that are related to patient data)
  4. Enable remote wipe (a very important safeguard for your mobile device)
  5. Setup immediate lock on device when idle
  6. Refrain from sharing your device
  7. Install firewall, antivirus and malware programs on your mobile device
  8. Use secure Wi-Fi network
  9. Keep the device with you all the time

Conclusion: Mobile devices offer both patients and physicians convenient, user-friendly way to interact and access electronic health records. We need to be aware of the risks involved and take appropriate actions to safeguard the protected health information. With due diligent and common sense, we can enjoy the convenience while securing the protected health information.

Source:

  1. www.healthit.gov/mobiledevices
  2. The Health Insurance Portability and Accountability Act of 1996 (public law 104-191)
  3. The Security Rule. http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/