Securing mHealth to protect patient data

Jun 26th, 2014 / Category: Enterprise Mobility

Just as mobile technology is transforming the enterprise landscape, portable devices are making a significant impact on medical care. mHealth refers to the integration of mobile technologies into healthcare operations, including applications for patients, doctors and other participants.

Because of the sensitive nature of patient medical data, however, embracing these gadgets requires careful security and privacy practices. Regardless of the platform, protected health information must be handled according to regulatory guidelines, such as HIPAA and HITECH, and safeguarded from data breaches.

Why go mobile in the healthcare industry?
mHealth is catching on for many of the same reasons that the mobile enterprise has met with success: It's convenient, user-friendly and conducive to fast communication. For example, FierceMobileHealthcare described how mHealth is being used to improve caregiver communication. In healthcare, mobile trends include:

  • Provider-to-provider tools, such as messaging apps to discuss patient care among a treatment team
  • Provider-to-patient apps, such as mobile patient portals where visitors can discuss their condition with their doctors
  • Patient information resources, such as videos explaining a condition or medical procedure

Particularly in a mobile context, where IT teams may have less control over the flow of information and devices, both accuracy and security are absolutely critical. The need to ensure information is correct and appropriate falls more to medical experts, but IT leaders must be involved in ensuring mHealth initiatives are strongly secured.

Securing mHealth
Mobile security is a multifaceted project that covers all of the angles to ensure data is managed in a secure environment and PHI is protected according to privacy guidelines. A comprehensive mHealth security plan should cover the following points:

  • Policies and education: Clinicians and other stakeholders should clearly understand which type of information is permissible to handle over mobile tools and know which resources are approved in terms of devices and programs.
  • Device security: Medical centers must decide whether to provide mobile devices for their clinicians or allow them to use their personal gadgets. The hardware and software needs to be protected with the appropriate antivirus programs and be kept up-to-date with security patches. Devices should be certified to ensure they're compatible with the medical environment, HIMSS suggested.
  • Networks: For gadgets used within the healthcare center, network security must be orchestrated to enable them to connect securely and tap into the necessary databanks without removing sensitive information from the secure system.
  • Apps and other tools: For both patient-to-provider and provider-to-provider communications, apps and other programs specifically designed for healthcare information are necessary to discourage sending PHI over unapproved channels. This could include secure file sharing mobile apps that uphold HIPAA regulations. For example, meaningful use legislation requires electronic communications (including text messaging, emails, and patient portals) to be encrypted according to National Institute of Standards and Technology protocols, SearchHealthIT explained.
  • Privacy measures: These tools must also be configured to respect the restrictions on PHI access as outlined by HIPAA and HITECH, which means that accounts should be established based on role and treatment teams so that clinicians have access to the information they need to care for patients but non-approved parties can't tap into sensitive information. Clinician- and patient-facing programs need to be protected with authentication processes.