Healthcare Information Security

What Are Top Mobile Health Security Concerns in 2016?

"‘What are we going to allow? What aren’t we going to allow?’ You need to start from there and then evolve.”

Mobile health security has continued to grow with numerous advances in technology, and that trend will likely last into 2016.

Mobile health security concerns for 2016 will likely consist of similar issues from 2015

More providers are encouraging the use of mobile devices, and more consumers are looking for ways to become more involved in their own health through the use of smartphones and patient portals.

But what are the top mobile health security concerns for the new year? Will the same types of health data breaches continue, or will providers find a way to securely use mobile devices?

HealthITSecurity.com took a look back into the top mobile security stories for 2015, to see what could potentially await healthcare organizations and their patients in 2016.

Maintaining HIPAA compliance

While the majority of the top data breaches from 2015 involved cybersecurity threats and hacking from third-parties, HIPAA compliance is still a key issue when it comes to mobile device security.

Technical safeguards are essential for healthcare organizations of all sizes, and as BYOD strategies increase, they are even more important.

For example, HealthITSecurity.com contributor Bill Kleyman explained in an article that in order to create a secure mobile healthcare worker, it is important to not rely on the user to necessarly have the best security practices in mind. Instead, implementing a platform that allows organizations to control how data is passed between the enterprise network layer and the variety of end-point devices could be beneficial.

“You can port users from a medical group to one set of servers and network devices, while allowing guests to access a segmented network for very limited access,” Kleyman wrote. “All of this is done intelligently through policy controls. It helps keep your healthcare environment up and running while still dealing with the vast number of new kinds of devices.”

Essentially, covered entities - and their business associates - must ensure that they take the necessary time to implement compliant technical options. Do not use smartphones simply for the sake of having a BYOD policy. Employees at all levels need to be properly trained and understand how to keep sensitive data secure.

Moreover, technical safeguards such as mobile device management (MDM) and data encryption could help organizations protect patient data. Staff members must also know what their facility’s policy is on removing mobile devices from the premises. A stolen laptop or cell phone could lead to HIPAA violations, and potential OCR fines.

Stoddard Manikin, MBA, CISM, CISSP, Director of Information Systems Security at Children’s Healthcare of Atlanta, also explained to HealthITSecurity.com in an interview last year that covering “the basics” is essential to mobile security.

“You just need to decide, ‘What are we going to allow? What aren’t we going to allow?’” Manikin said. “You need to start from there and then evolve.”

Healthcare organizations should start with securing their email, calendars, and contacts. From there, mobile applications and other mobile device options can be added.

Secure messaging options will likely continue

Many healthcare organizations opted for secure messaging in the last year, such as Annapolis Internal Medicine. Dr. Kevin Groszkowki explained to HealthITSecurity.com that the secure messaging option through athenaText helped improve communication throughout the entire practice.

"The platform we chose has been great for us because it allows us to communicate as solid unit," Groszkowki said. "Our clinical support staff can instantly reach physicians and NPs and vice versa. Previously, we had been using everything from iMessage to chat programs like Yahoo chat and Google chat, but they’re not HIPAA-compliant, which severely limited what we could actually say about a patient."

Moreover, Annapolis Internal Medicine has the ability to send pictures for consults, send alerts when patients arrive to pick up prescriptions, and text reminders to fill out patient charges. Groszkowki added that everything from clinical decision support to office support benefitted by the switch.

However, as previously mentioned, HIPAA compliance cannot be overlooked. Simply implementing a texting option does not ensure compliance with federal regulations. In fact, a study from last year found that most physician secure messaging apps are not HIPAA compliant.

An Infinite Convergence Solutions, Inc. study took data from 500 industry professionals on their professional messaging habits to see the kinds of platforms, messaging services, and security measures that are taken into account when communicating between physicians at a healthcare practice.

Half of respondents said that their organization had no official mobile messaging platform, while 83 percent explained that their organization does not suggest which third-party platform they should use.

“Healthcare institutions need to get serious about meeting their employees' needs and providing a secure, internal messaging platform that not only allows HIPAA compliance, but also replaces outdated communication systems, like pagers, in order to increase productivity and serve patients faster,” said Infinite Convergence Solutions CEO Anurag Lal.

Account for human error

Another top issue discussed last year, that will likely continue into 2016, is human error. Even with the best technical safeguards in place, one employee who was not properly trained or who simply made a mistake could still lead to a health data breach.

Jeffrey Wilson, Director of Information Services, Assurance and IT Security at Albany Medical Center said in an interview with HealthITSecurity.com that not only is employee training important for secure mobile and BYOD policies, but so is employee security awareness.

“As you look at where we’re at in terms of technology, information, information security, and the healthcare landscape in general, the one thing that we can’t engineer for is people,” Wilson said. “There are no controls that we can put in place.”

Marty Edwards, MS, CHC, CHPC, Compliance Officer at Dell Services Healthcare and Life Science division, had similar misgivings when it comes to the “human factor” in healthcare.

A lack of knowledge about HIPAA could be harmful, Edwards explained, and covered entities need to ensure that employees are only accessing the information that is absolutely necessary for their particular job function.

“You have to keep in mind that all the users that have access to that data have a role or responsibility, and are using that information for a specific purpose,” Edwards said. “So it’s up to those users to make sure that they follow the necessary processes, procedures and policies in place for the disclosure of that information.”

Learn from past mistakes

Technology will only continue to evolve, and healthcare organizations will need to work to remain current. However, HIPAA compliance cannot be overlooked.

Whether a facility wants to implement BYOD, secure messaging, or another type of advancement, it is important to monitor employee training and how federal, state, and local regulations change. Especially with the next round of OCR HIPAA audits scheduled to take place this year, understanding where ePHI is stored is essential.

Mobile health security issues will still exist in 2016, but by taking the time to learn from past mistakes, healthcare organizations can work toward a more secure experience.