As EHRs increasingly go mobile, prioritize security efforts

I read with great interest my colleague Greg Slabodkin's thought-provoking commentary this week about electronic health records and mobile technology. Slabodkin, the editor of FierceMobileHealthcare, noted both the "meteoritic" rise in demand for mobile device EHR applications by physicians and the fact that use of mobile technology could make users more satisfied with their EHRs.

A commenter quickly reacted to express concern that mobile EHR applications, while convenient, are particularly vulnerable to security breaches.  

This is true. And that concept has not escaped the government.  

That very issue was highlighted at last month's annual HIPAA security conference, "Safeguarding Health Information: Building Assurance through HIPAA Security," co-hosted by the U.S. Department of Health & Human Services' Office for Civil Rights and the National Institute of Standards and Technology, which I attended.

Attorney Adam Greene, a former health IT and privacy specialist with HHS who now is in private practice with Davis Wright Tremaine in Washington, D.C., gave an excellent presentation on the explosion of mobile technology to access, create, receive, maintain and transmit patient protected heath information (PHI), and the corresponding need to keep PHI secure. He noted that "[mobile devices] are the greatest thing since sliced bread, unless you're in healthcare IT security."

After all, as Greene pointed out, mobile technology containing PHI can easily be lost or stolen. For instance, most current devices contain cameras, which make it easy to improperly record PHI, and provide easy access to social media, where the impulsive user may post PHI.

But severe restrictions or outright bans on using mobile devices to interface with EHRs--strategies that have been used in past--no longer are viable privacy protection options, he said, since their use is so ubiquitous.

Still, Greene added, they do need to be incorporated into overall HIPAA compliance regimens, which many providers seems to have overlooked. He suggested that providers be proactive and reduce the risk that mobile device use will compromise PHI, saying they should, among other things: 

  • Identify their mobile device and mobile application needs, such as emailing of PHI, and ways to protect the data accordingly  such as, say secure access to email;
  • Include mobile technology in their risk analyses of security vulnerabilities;
  • Reduce risk of breach involving mobile technology once the risks have been identified, say perhaps by increased staff and physician training in mobile device security;
  • Document security rule compliance.  

The commenter to Slabodkin's post suggested that vendors need to do a better job protecting physicians using mobile technology. I agree with that. But the vendors are business associates, which until this year, were not covered under HIPAA. Users have been, and always will be, ultimately responsible for breaches of patient information. And the government clearly has this issue on its radar.

Fortunately, there are steps users can take to better protect data on these oh-so-friendly devices. Let's do it. - Marla (@MarlaHirsch)

Related Articles:
EHR adoption up, but doc satisfaction lags
HIPAA business associate compliance by EHR vendors not optional
Stakeholders must double up on EHR security
OCR's Rodriguez: Consumers need to be able to trust EHR users