Despite allure of mobile devices, doctors must be vigilant about security

This time of year, it's easy to get caught up in the shopping frenzy surrounding the holidays. As a self-confessed gadget freak, my particular weakness is consumer electronics and all those mobile devices and applications that I spend so much time contemplating and writing about. The technology seems to permeate every aspect of our lives these days, and for me it never loses its "cool" factor.

Healthcare providers certainly are no different than the rest of us in this regard. They, like so many millions of us, are the proud owners of smartphones, tablets, and other mobile devices that allow them to enjoy all the modern conveniences and powerful apps that these wireless platforms afford. Yet, while these devices might be used by doctors in their personal lives, bringing them into their professional lives and using them at work should give physicians pause.

There's a little thing called the Health Insurance Portability and Accountability Act, whose privacy and security rules govern the handling of patient information. Unfortunately, for too many healthcare providers, the line between their personal and professional worlds has been blurred. If a doctor owns a smartphone and uses it outside of the office, it's only natural that they also would want to use it in their medical practice.

Bring-your-own-device is an mHealth strategy embraced by many organizations that encourages this kind of behavior. By merging the two communication environments--inside and outside the medical setting--physicians have the potential of getting into trouble.

A recent national survey by the University of Kansas School of Medicine-Wichita found that more than half of responding doctors send or receive work-related text messages, and nearly 46 percent of respondents said they worried HIPAA rules could be violated by sending and receiving patient information. While many institutions have encryption software for email, few have it for text messaging.

When HIPAA was first enacted, smartphones were not widely used. Now, according to the Office of the National Coordinator for Health IT, more than 80 percent of physicians use smartphones or tablets, but very few actually take basic security precautions, such as using encryption to protect their data from unauthorized users.

Smartphones, like other devices, must comply with HIPAA to protect the confidentiality of electronic protected health information, which means adopting and implementing adequate policies and procedures. Nevertheless, studies of out-of-the-box security configurations conducted by ONC have found that most mobile phones do not meet more than 40 percent of security requirements, such as the ability to encrypt information.

After manual configuration, ONC test results for these devices improved significantly, especially for iPhone and Blackberry models, which met 60 percent of the security requirements. However, other phones did not fare as well after manual configuration.

For these reasons, and others, healthcare professionals and their organizations need to establish strict policies governing the use of mobile devices at work, at home, and out in public. These policies must ensure compliance with HIPAA security rules that safeguard the privacy of patient information. The temptation is too great for doctors to use their personal devices in a medical capacity in which data goes unprotected. - Greg