Securing PHI in the Mobile Age

Mobile devices have become go-to tools for clinicians because they enable ready access to the right information when and where it’s needed most, improving patient care and lowering healthcare costs in the process. Along with this proliferation of devices, and the growing prevalence of mobile health applications, comes a timely reminder that those of us trafficking in PHI need to keep privacy and security top of mind.

We know, for example, that smartphones, tablets, and other devices are now firmly entrenched in the industry. Clinicians routinely access medical journals, images, and lab results while collaborating with specialists right at the point of care.

Increasingly, these same devices are proving very helpful when it comes to engaging patients on a variety of conditions—so, we can expect this trend to continue as both clinicians and health consumers become increasingly adept with mobile tools.

At the same time, the uptake of mobile applications related to health care is skyrocketing, with mHealth apps projected to become an integrated part of physicians’ treatment plans by 2017, according to a report from Research and Markets. Another industry survey pegged the implementation of mobile EHR access at 53 percent, a significant step up from just a year ago. And everybody knows we’re just getting started.

While such reports bode well for healthcare’s overarching transformation, the accompanying responsibility to safeguard protected health information intensifies with each step forward. As app developers contend with guidelines from the FDA and NIST, caregiving institutions are charged with maintaining privacy and security.

Larger, more sophisticated healthcare organizations are well versed in managing sensitive data, but many institutions are learning as they go. Beyond working to make sensitivity to security and privacy issues part of their workplace culture, loading up on data breach insurance, and leveraging the various resources available to them, those maintaining PHI subject to HIPAA might consider reassessing their risk analysis and management efforts.

My thinking here is that while every U.S.-based healthcare organization engages in risk analysis where HIPAA is concerned—usually with a focus on where PHI is received, maintained, transmitted, and disposed of—a rapidly evolving mobile landscape brings with it challenges that will outpace OCR guidance.

For proactive healthcare institutions working to improve the care experience, the first step toward building (and maintaining) a robust security program rests with risk analysis and management. Periodic adjustments, based on input from OCR and industry resources, could help mitigate threats that could exploit vulnerabilities specific to mobile.

With that in mind, what steps is your healthcare organization taking to ensure its security program stays current with mobile developments?

As a B2B journalist, John Farrell has covered healthcare IT since 1997 and is Intel’s sponsored correspondent.

Read John’s other blog posts