HHS Proposes More Security On Healthcare Mobile Devices

Encryption would have stopped many of the patient data breaches caused by lost smartphones, laptops, and tablets, said Stage 2 Meaningful Use proposal.
Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)
In an attempt to eliminate the potential for patient data breaches on mobile devices, the Notice of Proposed Rulemaking (NPRM) for Stage 2 Meaningful Use has proposed that mobile devices, such as laptops, smartphones, and tablets, that retain patient data after a clinical encounter should have default encryption enabled.

Published by the Department of Health and Human Services (HHS) Thursday, the proposed rule for Stage 2 Meaningful Use for the Electronic Health Record (EHR) Incentive Programs noted the increasing number of reported breaches which involve lost or stolen devices.

"We agree that this is an area of security that appears to need specific focus. Recent HHS analysis of reported breaches indicates that almost 40% of large breaches involve lost or stolen devices. Had these devices been encrypted, their data would have been secured," the NPRM for Stage 2 Meaningful Use states.

The HHS Health IT Policy Committee recommended that health delivery organizations take action to review encryption practices of electronic protected health information as part of their risk analysis.

Dr. Farzad Mostashari, head of the Office of the National Coordinator for Health IT (ONC), further explained the proposal at an ONC town hall meeting Wednesday at the annual Healthcare Information and Management Systems Society (HIMSS) conference and exhibition in Las Vegas.

[ Read more from the most important live event in health IT on our HIMSS Special Report page. ]

"There are certification requirements for electronic health records and ... we proposed that there be default encryption of data on end-user devices, unless no data is kept after the session is ended on that end-user device," Mostashari told the audience.

The proposed measure comes amid several reports that confirm a significant number of patient data breaches have occurred due to the loss or theft of mobile devices. One study from the Ponemon Institute found that the frequency of patient data losses at healthcare organizations increased by 32% in 2011 compared to 2010, with 49% of respondents citing lost or stolen computing devices such as laptops, tablets, and smartphones.

"It has become very clear that one of the major sources of breaches of data comes from lost or stolen devices, and you would not be reading about this loss of data had the information been encrypted," said Joy Pritts, ONC's chief privacy officer, during the town hall meeting.

Pritts also said the proposal to encrypt data on mobile devices encapsulates the HIT Policy Committee's efforts to focus on those areas where "a minimum amount of effort would produce a huge amount of impact."

Kevin Whelan, Allscripts' VP of mobility and user experience, said the proposal further shores up data security on mobile devices and notes that "patient data must be encrypted on devices if it's there, however, patient data is more secure if it is not on mobile devices."

Whelan told InformationWeek Healthcare that Allscripts, which has several thousand physicians using mobile apps to access patient data from its EHRs, has developed a service-oriented architecture that supports its objective of not having data reside on devices. Allscripts' mobile technology also supports encrypted data queries.

"For the very short time the data resides on the device, there is a secure link back and forth to the device," Whelan added.

In the meantime, while the risk of patient data loss related to lost or stolen mobile devices has grown, the use of these devices is projected to rise. That trend was evident in the results of the 2012 HIMSS Leadership Survey. One of the questions asked of the 302 health IT professionals was about their top infrastructure priority. Eighteen percent said deploying mobile devices in their healthcare IT enterprise, which was a close second to the 19% of respondents who said their top priority is to deploy servers or virtual servers.

Healthcare providers must collect all sorts of performance data to meet emerging standards. The new Pay For Performance issue of InformationWeek Healthcare delves into the huge task ahead. Also in this issue: Why personal health records have flopped. (Free registration required.)