Mobile
News
2/24/2012
12:07 PM
Connect Directly
RSS
E-Mail
50%
50%

HHS Proposes More Security On Healthcare Mobile Devices

Encryption would have stopped many of the patient data breaches caused by lost smartphones, laptops, and tablets, said Stage 2 Meaningful Use proposal.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)
In an attempt to eliminate the potential for patient data breaches on mobile devices, the Notice of Proposed Rulemaking (NPRM) for Stage 2 Meaningful Use has proposed that mobile devices, such as laptops, smartphones, and tablets, that retain patient data after a clinical encounter should have default encryption enabled.

Published by the Department of Health and Human Services (HHS) Thursday, the proposed rule for Stage 2 Meaningful Use for the Electronic Health Record (EHR) Incentive Programs noted the increasing number of reported breaches which involve lost or stolen devices.

"We agree that this is an area of security that appears to need specific focus. Recent HHS analysis of reported breaches indicates that almost 40% of large breaches involve lost or stolen devices. Had these devices been encrypted, their data would have been secured," the NPRM for Stage 2 Meaningful Use states.

The HHS Health IT Policy Committee recommended that health delivery organizations take action to review encryption practices of electronic protected health information as part of their risk analysis.

Dr. Farzad Mostashari, head of the Office of the National Coordinator for Health IT (ONC), further explained the proposal at an ONC town hall meeting Wednesday at the annual Healthcare Information and Management Systems Society (HIMSS) conference and exhibition in Las Vegas.

[ Read more from the most important live event in health IT on our HIMSS Special Report page. ]

"There are certification requirements for electronic health records and ... we proposed that there be default encryption of data on end-user devices, unless no data is kept after the session is ended on that end-user device," Mostashari told the audience.

The proposed measure comes amid several reports that confirm a significant number of patient data breaches have occurred due to the loss or theft of mobile devices. One study from the Ponemon Institute found that the frequency of patient data losses at healthcare organizations increased by 32% in 2011 compared to 2010, with 49% of respondents citing lost or stolen computing devices such as laptops, tablets, and smartphones.

"It has become very clear that one of the major sources of breaches of data comes from lost or stolen devices, and you would not be reading about this loss of data had the information been encrypted," said Joy Pritts, ONC's chief privacy officer, during the town hall meeting.

Pritts also said the proposal to encrypt data on mobile devices encapsulates the HIT Policy Committee's efforts to focus on those areas where "a minimum amount of effort would produce a huge amount of impact."

Kevin Whelan, Allscripts' VP of mobility and user experience, said the proposal further shores up data security on mobile devices and notes that "patient data must be encrypted on devices if it's there, however, patient data is more secure if it is not on mobile devices."

Whelan told InformationWeek Healthcare that Allscripts, which has several thousand physicians using mobile apps to access patient data from its EHRs, has developed a service-oriented architecture that supports its objective of not having data reside on devices. Allscripts' mobile technology also supports encrypted data queries.

"For the very short time the data resides on the device, there is a secure link back and forth to the device," Whelan added.

In the meantime, while the risk of patient data loss related to lost or stolen mobile devices has grown, the use of these devices is projected to rise. That trend was evident in the results of the 2012 HIMSS Leadership Survey. One of the questions asked of the 302 health IT professionals was about their top infrastructure priority. Eighteen percent said deploying mobile devices in their healthcare IT enterprise, which was a close second to the 19% of respondents who said their top priority is to deploy servers or virtual servers.

Healthcare providers must collect all sorts of performance data to meet emerging standards. The new Pay For Performance issue of InformationWeek Healthcare delves into the huge task ahead. Also in this issue: Why personal health records have flopped. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jbrandt977
50%
50%
jbrandt977,
User Rank: Apprentice
2/27/2012 | 9:37:20 PM
re: HHS Proposes More Security On Healthcare Mobile Devices
Thank you! Most of the so called Health Apps on the stores and markets do not secure PHI and it is past time that they did. This is one of the reasons that FDA and FTC are having to step in to govern.

Jeff Brandt
co-author mHealth: Smartphones to Smartplatforms (HIMSS)
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.