The healthcare industry is currently exploding with the use of mobile applications for both providers and their patients. This has given rise to concerns over security for these applications as providers struggle to comply with HIPAA regulations. While security is a top concern, it is not stopping providers from developing or planning healthcare mobile applications.
Healthcare apps are used at nurses’ stations, administrative offices, patient rooms, clinical care teams, and administrative staff. The industry has found that the use of mobile devices has positively impacted productivity. Despite this, there is a large group that will not be implementing healthcare mobile applications due to security concerns.
How to Tackle Security Problems with Healthcare Mobile Apps
One way to tackle security problems with healthcare mobile applications is to have a mobile device management (MDM) solution in place. This has given rise to complaints about the need for the MDM provider to increase their focus on security. Many say the MDM provider needs to lower the cost of their solution while others say they need to improve user training.
On the other side of this equation, patients are increasingly using healthcare mobile applications to manage their interactions with doctors or just to store sensitive data about their health. One interesting fact is that healthcare mobile applications aimed at dementia patients seem to lack the proper security protocols required. In a survey, 125 applications were found when searching for “medical + dementia” or “health & fitness + dementia”. Of these 125 applications, just 33 had available privacy policies.
Furthermore, 70 percent described safeguards on data, and approximately three-quarters differentiated between protections for individual versus aggregate data.
“At present, most dementia apps lack privacy policies, and those that do exist lack clarity,” researchers explained. “Bolstering safeguards and improving communication about privacy protections will help facilitate consumer trust in apps, thereby enabling greater use by adults with dementia and their caregivers.”
Previous studies have also shown that mobile health privacy apps might have existing privacy policies, but they are not easy to find. This could lead to individuals allowing more access to their health data than they actually want.
Despite these apparent issues, healthcare mobile application developers and practitioners have made great strides in creating usable and secure systems that can be used to facilitate healthcare data exchange whether it be patient records, prescriptions, lab tests, or other routine
daily operational data within the context of application and web centric systems. This has given rise to some best practices for healthcare mobile applications in regards to security.
The specter of HIPAA is at the back of every health care provider’s mind, every day, in every interaction. Providers must constantly question if the information they are sharing, and how they are sharing it, falls within the law’s privacy guidelines. If they aren’t following the rules, they know, they could face significant fines and other consequences.
For many providers, the same care and consideration that they give to conversations, emails, and other interactions doesn’t always extend to their mobile device use. Often, it’s assumptions about the security of their devices, as in, they believe that they are more secure than they really are, that leads to potential HIPAA violations, not to mention, creating the risk of a data breach. For that reason, it’s important that health care providers, and facilities, make mobile device security a bigger priority, in order to protect patient information and confidentiality.
To help, the Office of the National Coordinator for Health Information Technology created a five-step process for mobile device management, which includes deciding which mobile devices are acceptable to use on your network and will be granted access, assessing the risk that mobile technology presents to the organization, identifying a risk management strategy, developing and documenting a mobile device management plan, and training staff and provider in mobile device security.
Implement User Authentication Controls
One of the biggest dangers to any device, in and outside of healthcare, is inadequate security controls. Locking the device with a passcode and using biometrics can go a long way to keeping the device data safe from prying eyes. Healthcare mobile applications providers should use any and all device locking mechanisms to secure devices used for work.
Implement Remote and Automatic Wipe and Lock Capabilities
This should be used for lost devices or when a password has been attempted too many times.
Install Security Programs
With hackers and viruses now targeting mobile devices with the same intensity as desktop computers, it’s important for healthcare professionals to install Internet security software onto their mobile devices as well, to prevent harmful apps and malware from infiltrating the health care networks and compromising protected data.
Whether on a device or an app-by-app basis, data that is stored or transmitted via the device should be encrypted. Email and attachments should also be secured and encrypted to ensure that unauthorized individuals do not see it — even by accident.
Develop an Application Policy
In BYOD environment’s controlling the applications installed on personal devices is a touchy subject, but it is vital for health care users to understand the potential risks associated with harmful applications. At the very least, providers must be educated on how to evaluate apps, or seek approval for the installation of unapproved apps on devices used for work. At the very least, file-sharing applications should be banned, and providers prohibited from using unapproved and unsecured filing-sharing services to share patient data.
Encourage Regular Updates
Updating operating systems regularly is an important part of any security strategy. Hackers target vulnerabilities in operating systems, and installing updates helps close those holes and protect data. Develop a policy of notifying providers of important updates and enforce update requirements.
In many ways, protecting patient information on mobile devices comes down to the same common-sense principles that one would use to protect his or her own personal data. By treating mobile security with the same care and attention as they would any other form of communication, providers can avoid creating HIPAA violations and costly data breaches.