Mobile Health Implementation
Mobile health (also known as m-health or mHealth) implementation is a term used in reference to planing, designing and integrating mobile health technologies (both hardware and software) into a healthcare or healthcare related organization. Mobile health implementation is the process of using all mobile wireless devices (mDevices), applications and related technologies to improve communication and delivery of healthcare.
- 1 Evaluating Mobile Technology
- 2 mDevice Applications for Use
- 3 HIPAA Security Requirements
- 4 Security Risks
- 5 Security Measures
- 6 Mobility Trends in Healthcare
- 7 Sources
- 8 References
Evaluating Mobile Technology
Diversenet, a mobile technology company, has developed 10 questions that can be used to better evaluate a mobile health vendor and their product's level of compliance to HIPAA regulations. The questions listed here are taken directly from the Mobile Health and Security White Paper.
- Do you provide security for PHI data over and above the general security features of the phone’s mobile browser and application platform?
- If so, what forms of data security do you include in your solution?
- Data encryption
- Strong (two factor) authentication for the user and the server
- Integrity and Non-Repudiation of PHI – Assurance that PHI data has not been changed or opened by an unauthorized party
- If you provide encryption for PHI data as part of your solution, is the encryption end-to-end from the secure server to a secure client on the mobile device? Is data encrypted while stored on the mobile device?
- Does your solution support encrypted text messaging (SMS)?
- Can your solution be extended to protect PHI data in multiple applications (including those from other vendors) and mobile browsers, or is it limited to use with the solutions that you offer?
- Do you provide a method for your customers to remotely delete all covered PHI data from lost or stolen devices?
- On what mobile devices does your solution currently operate? If there are some mobile devices that are not covered, how is PHI data on these devices supposed to be protected?
- Is your company primarily focused on the healthcare sector and the protection of mobile health data and services?
- If you provide a general mobile security or other services for multiple industries, what percentage of your customers are in healthcare?
- Can you provide reference accounts that have moved beyond pilot projects and fully implemented your solution?
- What security standards are utilized in your solution?
- Have you received any security certifications?
- Does your solution provide all of the Technical Safeguards listed in the HIPAA Security Rule (both Required and Addressable)?
- If not, what Safeguards are not provided?
mDevice Applications for Use
- Patients have to agree to use mDevicesWho is responsible for communication Triage?
- What is an acceptable response time?
- Are there topics that should be disallowed such as HIV?
- Physician/patient communication should be part of the EHR
- Can patients elect to exclude some electronic communications from their personal record?
- Allows access to decision support
- Allows access to electronic prescribing systems
- Will the size of small keyboards and touch screens create data integrity issues?
- What documentation standards will be allowed (free text vs. structured text)
- Better communication patterns between patients and clinicians can promote better health, however, medical urgency must be managed.
Personal Health Record
- Continuous communication with clinician
- Better access to personal health information
- Able to schedule appointments, view test results and reorder prescriptions.
- Education Programs
- Emergency care
- Public health
- Pharma/clinical trials
- Body area networks (BAN)
HIPAA Security Requirements
The terms defined in the HIPAA Security Rule, requires all covered entities "to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI [electronic protected health information]." The following requirements are taken directly from the HIPAA Security Rule.
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit
- Identify and protect against reasonably anticipated threats to the security or integrity of the information
- Protect against reasonably anticipated, impermissible uses or disclosures
- Ensure compliance by their workforce
- Security Management Process. Covered entities must identify and analyze potential risks to e-PHI, as well as implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level. Each covered entity must also designate a security official who has the responsibility for developing and implementing its security policies and procedures
- Information Access Management. Consistent with the Privacy Rule standard limiting uses and disclosures of PHI to the "minimum necessary," the Security Rule requires a covered entity to implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient's role (role-based access).
- Workforce Training and Management. A covered entity must provide for appropriate authorization and supervision of workforce members who work with e-PHI. A covered entity must train all workforce members regarding its security policies and procedures, and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.
- Evaluation. A covered entity must perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule.
- Facility Access and Control. A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.
- Workstation and Device Security. A covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media. A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information.
- Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information.
- Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
- Integrity Controls. A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
- Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.
With mobile devices getting smaller and smaller and with more clinicians using them both within and outside their workplace, the risk of loss or theft looms large over the healthcare environment. Afterall, theft or loss of mobile devices leads the list of health information breaches found at the Department of Health and Human Services website.
In a feature by Rafael Skovron, addition security threats beyond loss or theft are identified. Bluethooth-enabled smartphones in discovery mode may allow others to use or access device content or even connect to a server vie the phone's connection. Text messaging and photo capture features also create a potential HIPAA security risk as messages or images can be sent outside of the system architecture, thus bypassing ePHI email screening tools.
Because of the proliferation and variety of mobile devices being used in the healthcare industry, it is that much more important to understand the precautions that must be in place in order to comply with the standards required by HIPAA.
The HIPAA Security Guidance for Remote Use of and Access to Electronic Protected Health Information provides some reasonable strategies for protecting electronic protected health information.
The Journal of AHIMA has publish safeguards against loss or theft of your mobile device. These safeguards include:
- Never leaving mobile devices unattended.
- Identify your mobile device by affixing a business card or ID tag to it
- Invest in a tether or cable lock to secure your laptop to something stationary such as airport seating or and office desk
- Install office security cameras to deter over-confident thieves
- Minimize the amount of sensitive information on the device
- Protect USB storage devices with passwords
- Disable USB ports
- Turn off wireless file transfer capabilities
- Password protect the BIOS to prevent disk access through changing the BIOS configuration
- Create a user account password and remove guest accounts
- Require manual log on for VPN connection
- Invest in tracking software
- Encrypt the file system
- Use a firewall when accessing public/private networks
Yale University also has Protected Health Information (PHI) Security Compliance policies. They are :
- Implement a lock-out setting after more than 10 failed attempts
- Cap message storage at 200 or 14 days of messages
- Require all applications to meet HIPAA security standards
- Keep the operating system and all software current with latest security updates
- Subscribe to a remote deletion service
- Prohibit use of unauthorized software and hardware
- Require VPN services when connecting to organization network via digital cellular
- When transferring files, only allow secure file transfer protocol (SFTP)
- Only store protected health information (PHI) on IT department-owned servers
- Install and use privacy filters if screens display PHI
- Securely destroy or delete PHI when upgrading or disposing of mobile devices
- Disable emails auto-forwarding feature
Mobility Trends in Healthcare
During the 2012 National HIMSS event in Las Vegas, Aruba Networks, Inc conducted a survey that revealed some interesting trends in the mHealth industry. Survey highlights are listed here:
- 85% support their physicians’ and staffs’ use of personal devices at work
- 53% currently limit users to Internet access only
- 24% provide limited access to hospital applications
- 8% enable full access to the hospital network with user-owned devices
- 50% are planning to expand/refresh their Wi-Fi network in the next 12 months
- 35% said the same for their wired networks
- 93% reported that they owned and managed their own network infrastructure vs. outsourcing
- 83% support the use of Apple iPads on the network
- 65% support iPhones and iPod touches
- Blackberry use still outpaces Android-based devices in health care, with 52% supporting the former and 46% support Android tablets and/or phones
- 58% currently use or plan to use desktop virtualization solutions such as Citrix to enable hospital application use on iPads
- 45% said they would use in-house or third-party applications
- 60% are supporting EMR applications on mobile devices
- PACS, Secure Messaging, and Voice over IP (VoIP), were each in the 30% range