- As covered entities and business associates continue to adopt mobile security strategies, it can be increasingly difficult to find tools that are innovative but do not compromise security.
Mobile app privacy and security worries and maintaining HIPAA compliance are often top concerns for healthcare organizations in terms of overall mobile security.
Even if a covered entity has a mobile device management (MDM) solution, it just takes one staff member to download an unsecured app to potentially compromise patient data.
Or, an organization may start using an app that is not in fact HIPAA compliant. Sensitive data could become exposed, and may even lead to the entity facing an OCR HIPAA settlement for potential violations.
By reviewing common concerns and what federal tools have been put in place to help providers overcome them, covered entities and business associates can work toward implementing strong and current mobile security strategies.
Understanding mobile app security concerns
Healthcare application security is one of the top pain points for covered entities that are looking to implement mobile options. Organizations want physicians and staff members to utilize smart phones and tablets, but also want to ensure that ePHI and patient data remain secure.
A study released in early 2017 found that more than one-quarter of IT decision makers were not fully confident in their organization’s MDM solution.
The survey was released by Jamf and conducted by Vanson Bourne, with researchers interviewing 550 global healthcare IT decision makers within organizations of all sizes in the US, UK, France, Germany, and Australia.
Eighty-four percent of respondents concurred that their organization is HIPAA compliant, however approximately half said they are not very confident in their organization’s ability to quickly adapt to changing regulations.
Furthermore, 83 percent of those surveyed admitted that security as their top concern with mobile devices for employees, while 77 percent listed data privacy as a key worry. Forty-nine percent stated that inappropriate employee use of devices was their top concern.
Similarly, a Substitutable Medical Applications, Reusable Technology (SMART) Health IT study from February 2017 found that privacy and security with third-party healthcare apps was a key provider concern.
KLAS interviewed clinical leadership at larger healthcare organizations about how they currently use apps, what they would like to see in the future, and what concerns they have with healthcare apps.
Approximately half of the respondents said that healthcare app privacy and security was a key worry, followed by app credibility and the ongoing app maintenance.
“For years, healthcare providers have been adopting increasingly integrated healthcare IT (HIT) suites from a single vendor, but healthcare apps buck this trend, with many organizations looking to third-party vendors to supply niche solutions to improve organizational efficiency and patient care,” the report’s authors wrote. “The recent passage of the 21st Century Cures Act, which states that a year from now open APIs will be necessary for EHR system certification, is expected to drive further growth in the app ecosystem.”
Healthcare organizations must ensure that they are using apps that already have necessary privacy and security measures built in. Staff members at all levels need to be properly trained, and should not download apps that have not been cleared by an entity’s IT or security department.
Maintaining HIPAA compliance with mobile apps, devices
HIPAA compliance is another top pain point for healthcare organizations that are trying to implement mobile devices. Convenience and usability are key for daily operations, but that ease of use cannot be traded over data security. The right balance must be found.
The ONC released an online tool and guidelines to help clarify potential legal concerns and ease provider worry over mobile app security.
ONC collaborated with the Federal Trade Commission (FTC), the Food and Drug Administration (FDA) and OCR to create the tool, and said that mobile apps must be created in a secure way.
“This interactive tool helps guide developers through a short assessment of their app with a series of questions about the nature of the app, including its function, the data it collects, and the services it provides to its users,” wrote ONC Chief Privacy Officer Lucia Savage, J.D. and ONC Senior Health Information Privacy Program Analyst Helen Caton-Peters, MSN, RN.
Mobile app developers must understand how HIPAA regulations would potentially apply to mobile applications, as well as how any apps would be affected by the FTC Act, the FTC’s Health Breach Notification Rule, and the Federal Food, Drug and Cosmetics Act (FD&C Act).
ONC also published a report that discussed companies that offer wearables, mobile health apps, and websites that publish health data.
Sidley Austin LLP Partner Anna Spencer explained in an earlier interview with HealthITSecurity.com that the report explained that when health technology is used by a covered entity, such as a healthcare provider, and that technology collects, stores, or uses individually identifiable health information, the health information on the device is protected by the HIPAA rules.
“Thus, in health technology used by individuals to manage their own health, but not offered or provided to the individual by a HIPAA covered entity or business associate, is outside of HIPAA's scope,” Spencer said.
Foley Hoag attorney Jeremy Meisinger added that healthcare organizations must determine exactly whether HIPAA applies to the type of information that a device is gathering.
“There can be a potential for just whenever there is something vaguely health related, there’s this assumption that it creates something like a health record, to which HIPAA is applicable,” Meisinger stated. “Any company developing some type of technology like that, or is developing an app that works in tandem with something like that, wants to be really clear with what is being gathered.”
Whether a healthcare provider is utilizing wearables or smart phones, understanding how the devices use and store sensitive data is critical. Understanding how state and federal laws will apply to mobile devices will also ensure that organizations remain compliant.