- With more covered entities beginning to consider secure texting options or BYOD implementation, it makes sense that certain app security and mobile health security concerns also arise.
However, the implementation process can be done securely, and organizations can take advantage of technical innovations to stay connected and further patient care. Facilities just need to ensure they consider how federal regulations, such as HIPAA rules, apply so that patient data stays secure.
Recent cases of secure messaging implementation
As previously mentioned, both secure texting and secure messaging options are increasing in popularity for providers. OhioHealth is one such organization, and its Mobile Device Deployment Manager James Sturiano told HealthITSecurity.com earlier this year how OhioHealth is utilizing mobile device management (MDM) to ensure security.
OhioHealth does have a BYOD policy, with about 4,000 devices. There are also approximately 1,000 devices that are corporate owned. However, just email, contacts, and calendars are facilitated for employees who need access to that on a mobile device.
“We use [AirWatch] to secure the corporate owned devices and push various security profiles to each device making sure that the device is encrypted. In certain cases the password has to be on the device. A lot of what we do is manage users, so we may have a group of iPads shared between multiple employees,” Sturiano said.
The University of Louisville (UofL) School of Dentistry also implemented secure messaging options this year. Director of Informatics Christopher Morgan explained that there was a bit of a technology gap at the school, and secure messaging was the necessary bridge.
“We have email, we have a messenger within our EHR system, and those worked really well for what they’re good at,” Morgan said. “For sending longer [secure] messages, there are ways to prioritize them so that they pop up when the user wants to get urgent status. We were really limited by the availability of those other systems.”
Secure messaging also helped ensure that students, staff members, and faculty were not going to be restricted by location. Previously, individuals had to be on-campus or log on through authorized computers in order to use the messenger system within the UofL EHR.
Covenant Medical Group and Covenant Health Partners also implemented secure messaging out of necessity, according to IT Systems Director Seth Crouch, MBA, CPC, CMPE, CHFP.
“The way we decided to roll this out in order to gain adoption, was to get our very busy, high-profile physicians to use this and to start the communication process that way,” Crouch said. “And they did. That sort of set the stage up for everyone else below them, where if they wanted to talk to these high-profile physicians, they had to use PerfectServe.”
When making the case for why Covenant should take advantage of secure messaging, Crouch explained that he emphasized the PHI security benefits. Standard SMS texting would not be able to promise that same security.
The debate over secure texting for physician orders
A key highlight in 2016 for mobile health security was when the Joint Commission on Accreditation of Healthcare (JCAHO) lifted its ban on clinician secure texting and secure messaging options. Specifically, JCAHO said that physician orders could be sent through secure messaging. However, certain components must be in place.
The decision did not last long though, as JCAHO reversed its decision just a couple of months later.
More guidance is needed “to ensure a safe implementation involving the secure texting of orders for those organizations desiring to employ technology supporting this practice,” federal officials explained in the JCAHO June newsletter.
“The Joint Commission and CMS will develop a comprehensive series of Frequently Asked Questions (FAQ) documents to assist health care organizations with the incorporation of text orders into their policies and procedures,” the newsletter stated. “This guidance information is designed to supplement the recommendations in the May 2016 Perspectives article permitting the use of secure text messaging platforms to transmit orders.”
When JCAHO first announced the lift on using secure messaging for physician orders, some industry stakeholders praised the move.
TigerText CEO Brad Brooks told HealthITSecurity.com in a May 2016 interview that providers were beginning to organically gravitate toward using secure messaging in more ways.
“This has been a major friction point, or impediment to more comprehensively integrating and adopting messaging within the healthcare workflow,” Brooks explained.
What are potential mobile device security concerns?
Mobile device security concerns have certainly continued to grow as more covered entities implement BYOD policies and adopt more mobile options.
For example, the Spyglass Point of Care Communications for Nursing 2016 survey found that hospitals may not be entirely confident in their ability to keep information on mobile devices secure. Specifically, 82 percent of respondents said they had grave concerns about their ability to support and protect mobile devices, patient data, and the hospital’s technology infrastructure as a result of the growing threat of cybersecurity attacks.
Surveyed hospitals said they were worried about both personally owned mobile devices and hospital-owned and managed devices.
Even so, 71 percent of respondents said that mobile communications is an emerging investment priority, largely fed by patient centered care models and value‐based purchasing adoption.
It is also important for individuals to take care as they use personal fitness devices, as lackluster security policies could make their personal information more readily available to third parties than originally realized.
Earlier this year, the Office of the National Coordinator (ONC) also discussed potential legal concerns with mobile security, and how it should be a key consideration as technologists, clinicians, or even patients work on developing healthcare applications.
The ONC created an online tool in collaboration with the Federal Trade Commission (FTC), the Food and Drug Administration (FDA) and the HHS Office for Civil Rights (OCR).
“This interactive tool helps guide developers through a short assessment of their app with a series of questions about the nature of the app, including its function, the data it collects, and the services it provides to its users,” ONC Chief Privacy Officer Lucia Savage, JD and ONC Senior Health Information Privacy Program Analyst Helen Caton-Peters, MSN, RN explained in a blog post.
Mobile application developers must also be sure to consider HIPAA regulations, and whether or not they would apply. Furthermore, any laws or regulations in regard to the FTC, FDA and the OCR “all could influence the development of a new health-related product.”
“As the number of mobile health products available today continues to rise, it’s important to clarify for developers how FDA and other agencies’ regulations would apply to their app,” said Bakul Patel, associate director for digital health in the FDA’s Center for Devices and Radiological Health. “This effort is part of the FDA’s continued commitment to protecting patient safety while encouraging innovation in digital health.”