HHS Proposes More Security On Healthcare Mobile Devices - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

12:07 PM

HHS Proposes More Security On Healthcare Mobile Devices

Encryption would have stopped many of the patient data breaches caused by lost smartphones, laptops, and tablets, said Stage 2 Meaningful Use proposal.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)
In an attempt to eliminate the potential for patient data breaches on mobile devices, the Notice of Proposed Rulemaking (NPRM) for Stage 2 Meaningful Use has proposed that mobile devices, such as laptops, smartphones, and tablets, that retain patient data after a clinical encounter should have default encryption enabled.

Published by the Department of Health and Human Services (HHS) Thursday, the proposed rule for Stage 2 Meaningful Use for the Electronic Health Record (EHR) Incentive Programs noted the increasing number of reported breaches which involve lost or stolen devices.

"We agree that this is an area of security that appears to need specific focus. Recent HHS analysis of reported breaches indicates that almost 40% of large breaches involve lost or stolen devices. Had these devices been encrypted, their data would have been secured," the NPRM for Stage 2 Meaningful Use states.

The HHS Health IT Policy Committee recommended that health delivery organizations take action to review encryption practices of electronic protected health information as part of their risk analysis.

Dr. Farzad Mostashari, head of the Office of the National Coordinator for Health IT (ONC), further explained the proposal at an ONC town hall meeting Wednesday at the annual Healthcare Information and Management Systems Society (HIMSS) conference and exhibition in Las Vegas.

[ Read more from the most important live event in health IT on our HIMSS Special Report page. ]

"There are certification requirements for electronic health records and ... we proposed that there be default encryption of data on end-user devices, unless no data is kept after the session is ended on that end-user device," Mostashari told the audience.

The proposed measure comes amid several reports that confirm a significant number of patient data breaches have occurred due to the loss or theft of mobile devices. One study from the Ponemon Institute found that the frequency of patient data losses at healthcare organizations increased by 32% in 2011 compared to 2010, with 49% of respondents citing lost or stolen computing devices such as laptops, tablets, and smartphones.

"It has become very clear that one of the major sources of breaches of data comes from lost or stolen devices, and you would not be reading about this loss of data had the information been encrypted," said Joy Pritts, ONC's chief privacy officer, during the town hall meeting.

Pritts also said the proposal to encrypt data on mobile devices encapsulates the HIT Policy Committee's efforts to focus on those areas where "a minimum amount of effort would produce a huge amount of impact."

Kevin Whelan, Allscripts' VP of mobility and user experience, said the proposal further shores up data security on mobile devices and notes that "patient data must be encrypted on devices if it's there, however, patient data is more secure if it is not on mobile devices."

Whelan told InformationWeek Healthcare that Allscripts, which has several thousand physicians using mobile apps to access patient data from its EHRs, has developed a service-oriented architecture that supports its objective of not having data reside on devices. Allscripts' mobile technology also supports encrypted data queries.

"For the very short time the data resides on the device, there is a secure link back and forth to the device," Whelan added.

In the meantime, while the risk of patient data loss related to lost or stolen mobile devices has grown, the use of these devices is projected to rise. That trend was evident in the results of the 2012 HIMSS Leadership Survey. One of the questions asked of the 302 health IT professionals was about their top infrastructure priority. Eighteen percent said deploying mobile devices in their healthcare IT enterprise, which was a close second to the 19% of respondents who said their top priority is to deploy servers or virtual servers.

Healthcare providers must collect all sorts of performance data to meet emerging standards. The new Pay For Performance issue of InformationWeek Healthcare delves into the huge task ahead. Also in this issue: Why personal health records have flopped. (Free registration required.)

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/27/2012 | 9:37:20 PM
re: HHS Proposes More Security On Healthcare Mobile Devices
Thank you! Most of the so called Health Apps on the stores and markets do not secure PHI and it is past time that they did. This is one of the reasons that FDA and FTC are having to step in to govern.

Jeff Brandt
co-author mHealth: Smartphones to Smartplatforms (HIMSS)
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
White Papers
Register for InformationWeek Newsletters
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll