Healthcare organizations not only have to contend with protecting patient health information on their own health IT, but also have to worry about data stored on physicians' and others' mobile devices, according to a panel discussion at the Fourth Annual mHealth World Congress in Boston this week, mHIMSS.org reported.
HIPAA and other privacy and security laws were enacted before the surge in mobile device use, and don't incorporate the challenges of using them, warns panelist Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology.
Some of the other issues affecting the security and privacy of patient information on mobile devices include the fact that providers often won't use the security features in their mobile devices and that devices themselves are often not kept secure, leaving them vulnerable to loss or theft.
John Halamka, M.D., professor of medicine at Harvard Medical School and CIO at Beth Israel Deaconess Medical Center, also speaking on the panel, noted that the cost of dealing with a security breach is greater than the cost to have secured the personal device.
Halamka recently issued a post saying that simply having a policy to protect the security of mobile devices is not enough, and as a result BIDMC is launching an initiative to better protect the security of mobile devices connecting to the Center's network. These minimum requirements include password protections on the devices, a time-out feature requiring new password key-in, anti-malware protection, disabling of unnecessary software such as Bluetooth, encryption, continual custody of the device and no use of the cloud for backup.
BIDMC recently suffered a breach when a laptop was stolen from one of its physicians, putting the data of 3,900 patients at risk. And last year a computer virus affected the records of more than 2,000 patients at risk.
To learn more:
- here's the mHIMSS article
- read Halamka's blog post
- read about Beth Israel's other security problems