Mobile Devices: A Dangerously Weak Link in mHealth Data Security
Hospitals continue to suffer major data breaches – earning negative headlines and possible costly fines. Their embrace of mobile healthcare (mHealth) solutions is only exacerbating the security risks. So why aren’t more healthcare providers – hospitals, physicians, EMT, etc. – instituting stringent security mechanisms? Especially on their much beloved, but easily misplaced, mobile devices?
One answer seems to be a simple lack of awareness. Traditionally, an IT laggard, the healthcare industry is being driven by HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) legislation to digitize its health records. Caregivers, in turn, recognize the many benefits of now being able to access these digital records on their mobile devices. Unfortunately, some parties did not seem to realize that new security measures had to be put in place before data could safely go mobile. Mobile devices can be lost, stolen, and hacked. The result? Vulnerable patient information, vulnerable caregiver information, vulnerable healthcare facility information.
Another reason for the lack of serious mobile security implementations is the perceived cost. However, healthcare providers are realizing fast that stingy upfront budgeting can have costly negative repercussions. Healthcare providers can be fined up to $1.5 million and/or put in prison for up to five years if they do not comply with HIPAA standards for securing and protecting patient data. Under HITECH, they can also lose government funding and be publicly shamed on a list of security breach incidents maintained by the government.
The losses, in terms of both money and professional reputation, can be devastating.
Mobile technology is not going away. The increasing percentage of physicians using smartphones and tablets on the job is clear proof of that. And application developers continue to create fascinating apps that include drug and clinical references, ever more sophisticated diagnostic tools, and real-time patient record-keeping. The genie is out of the bottle. Now mobile devices – both those belonging to the facility and those that are owned by the individual users -- have to be secured.
We had a briefing from the experts at Apriva (www.apriva.com) the other day who described their mobile device security suite – including a two-factor authentication smartcard reader plus software applications for secure email and VoIP calls via the mobile device. Apriva has secured classified government communications for years, and now sees the need for the same high level of security products in the healthcare sector.
The solutions are out there ready to be deployed. Now it's time for healthcare providers to get smart on their security alternatives and loosen the purse strings.