Mobile phones, personal tablets, and high tech devices are part of our everyday lives. This is also becoming the case in the healthcare industry. The term mHealth, which is short for mobile health, is defined according to HIMSS as “the use of mobile and wireless devices to improve health outcomes, healthcare services and health research”. Employees and organizations alike can benefit from increased productivity and lower costs from mobile device usage in the healthcare space.
However, mobile devices pose a large risk to protecting medical information and maintaining HIPAA compliance. These devices can be used to communicate unauthorized patient information, download company data, or can be stolen by an employee or outsider. These unique risks associated with mHealth require effective strategies to guard against data breaches.
Creating a BYOD Policy to Manage mHealth
Establishing a Bring Your Own Device (BYOD) policy is a good start to addressing potential data security risk points. A proper BYOD policy will address basic employee-employer risk as well. Questions such as what devices are allowed, who owns the data, and who is responsible for lost hardware can be addressed in a user agreement.
With so many risk points around security, there are several topics that should be included in every BYOD policy. Issues to be covered should include:
- Approved devices
- Required security applications
- Staff training
- Liability definitions
Another approach is implementing mobile device management software (MDM). This may be a good investment to manage the entirety of mobile device security for a large organization.
Protecting mHealth from Security Threats
In addition to a BYOD policy, there are other best practices to protect mobile devices from potential data security breaches. Here are a few ideas that can be implemented fairly quickly and show immediate results when it comes to protecting data:
- Physical Protection and Encryption: A common best practice to guard against unauthorized access to patient information is the use of an encrypted password. Mobile devices can be configured to require personal identification numbers, passwords, and usernames to gain access. This step alone can help safeguard protected health information (PHI) from theft and unapproved access. Additionally, installing a firewall on mobile devices will help stop outside connection attempts from accessing information.
- Communication Protocols: Mobile device usage must also protect information that is being sent and received from others. It is recommended that an encryption tool be installed on all mobile devices. This will help protect PHI that is being transmitted and received from each device. Another best practice is to secure Wi-Fi networks that broadcast over a facility’s physical location. This can also be done by installing encryption software and enabling a password feature to connect with the network. Public Wi-Fi networks can be accessed by anyone and are an easy access point for unwanted security intrusions.
- Preventative Measures: In addition to protecting mobile device access and network connections, it is prudent to be proactive with strong security measures. There are many security programs available on the marketplace. Purchasing and installing a top-end security program is not enough. Regularly updating the security software will go a long way in staying ahead of potential malware and cyber-attacks on each mobile device. Another important best practice in preventing security breaches is to create a list of pre-approved (or conversely unapproved) downloadable applications. Many mobile devices have the ability to access and download thousands of unregulated applications. Creating a policy that clearly states which applications are acceptable will reduce the risk of stolen patient information.
Conclusion
mHealth continues to be a viable option for healthcare providers. The flexibility of using mobile devices allows professionals to administer care more efficiently and is oftentimes more cost effective. However, mobile data creates new risk points to PHI security that must be addressed. Creating policies and diligently reviewing safeguards will better limit the risk of data breaches due to mobile devices. As with any implementation, it is important to evaluate these security concerns before embracing mHealth as a solution.
