New HIPAA rule falls short in protecting mobile patient information

The U.S. Department of Health & Human Services announced the final omnibus rule for the Health Insurance Portability and Accountability Act last week. Much has changed in 15 years since HIPAA was first passed into law, not the least of which is the use of mobile technology in healthcare.

Of course, when HIPAA was first enacted smartphones were not widely used. Today, they can only be described as ubiquitous. Not surprisingly, a recent survey of healthcare organizations found that nearly 70 percent of respondents expressed concern specifically about the security of electronic protected health information on smartphones.

One would think that in putting together the "most sweeping changes" to the HIPAA Privacy and Security Rules since they were first implemented, HHS would have taken that into account. But there are important security considerations that are not sufficiently addressed in the new legislation, particularly as they relate to mobile healthcare.

Mobile devices can be easily lost or stolen and the ability to remotely wipe sensitive patient data is a particularly critical security capability for smartphones and tablets. HHS missed a major opportunity to strengthen protection for health information with a mandatory remote wipe requirement.

Previously, I referenced the U.S. Federal Information Processing Standards (FIPS) 140-2 used to accredit cryptographic modules required for use in government communications systems to protect sensitive data. FIPS 140-2 not only meets the HIPAA standard but, in fact, exceeds HIPAA's requirements with CMD peripheral control and remote wipe capabilities.

In addition to the security of information contained on a lost or stolen device, the security of information transferred over wireless networks and the security of applications that run on the devices is important. However, according to AirStrip CEO Alan Portela, who spoke to FierceMobileHealthcare at the 2012 mHealth Summit last month, "people who are going to break into a system are not going to break in through the app," but through the operating system, "where the vulnerabilities are."

Portela says auditing is another HIPAA shortcoming. With HIPAA, "you need to keep an audit trail on everything that people are doing on the system level, but there are a lot of things that happen on the operating system level that are not addressed by HIPAA. That is a huge risk," he said.

As HHS Secretary Kathleen Sebelius said in a statement announcing the new omnibus rule, much has changed in healthcare since HIPAA was enacted more that fifteen years ago. Unfortunately, it seems the more things change, the more they stay the same on the regulatory front.

The new HIPAA rule, like the old one, doesn't go far enough to address the security realities and vulnerabilities in today's mobile health environment. HHS should be emulating what the government is doing with FIPS 140-2. What was needed from HHS in the form of a new rule was "HIPAA on steroids." What we got instead was the old rule with a cosmetic facelift. - Greg (@Slabodkin)