Guest Post: Will Your New Smartphone Ruin Your Practice?

Guest Post: Hayden Hartland works at Spearstone, makers of Spearstone’s DiskAgent offering which provides a multi-platform approach to smartphone security by allowing lock, data-wipe, and GPS-tracking from any web-browser along with online backup for your business.

Breathtaking advances in smartphone capabilities are changing the ways we work and live. In their latest forms, phones such as the iPhone, Android, Blackberry, Windows Phone, Symbian, and Palm are beginning to rival, and in several areas (think GPS, camera and video) exceed the capabilities of laptops and desktops.

Increasingly, we email, keep contacts, track tasks and appointments, browse the internet, capture family moments, connect with friends, shop, and even run powerful business apps from our hand-held do-it-alls. No wonder then that surveys show some people giving up computers altogether for smartphones. Trends indicate smartphone sales and usage will exceed that of laptops in the next five years. Analysts describe a future where Smartphones that dock to keyboards and monitors obsolesce the laptop altogether.

The problem is that while smartphones are leapfrogging laptops and desktops in utility and connectivity, they have introduced security risks that too few take seriously. Unlike desktops and laptops where some of the biggest risks lie in viruses, and the eventual failure of spinning hard drives, the biggest risk with a smartphone is the loss and exposure of the information you store on it.

More than 5,000 smartphones are lost or stolen each day. Most smartphones hold thousands of confidential records – patient lists, emails, documents, medical records, patient payment records, and so on – yet there is little or no ability to prevent their compromise if your phone is lost or stolen. Many were carried by healthcare professionals (doctors, nurses, dentists, office managers, billing providers, support staff, and so on) whose information represents real risk to their practices and patients if compromised.

Next time you notice a staff member, equipment rep, supply rep  or any BAA using a smartphone, consider asking, “Are our emails accessible on that phone?” and “If you lose it, can anyone access them on the phone?” If you are a medical professional carrying a smartphone you need protection because odds are that eventually you will lose your phone. Furthermore, HIPAA, the FTC and state consumer organizations require notification of all patients of a data breach (not exactly good for any practice or healthcare business).

Current phones and typical user practices do a poor job of safeguarding your confidential information. While many smartphones can require a password or PIN number to use them, few of us can tolerate the hassle of actually using one. We simply use our phones too frequently to put up with it. Yet without one, we’re completely exposed. And while a phone password may protect your information in the case of loss, it can’t stop someone with phone hacking skills who wants to access your information.

Here are some practical tips you can employ to reduce your risks:

  1. Create a passcode for your phone. If you (like me) hate being pestered by it, set it to be required after 4 or 8 hours, so that you only need to enter it once or twice a day. If your phone is stolen and locked the thief will either need to hack your phone or reset the phone to factory settings thereby removing all the data in the process.
  2. Create a splash screen when your phone is locked displaying a contact phone number or email address and reward value. Consider etching your name and contact information somewhere on the phone.
  3. Remove sensitive information from your phone as soon as possible.
  4. Write down your IMEI (International Mobile Equipment Identity) number. If your phone is stolen, call your carrier immediately and ask them to deactivate the IMEI number and the phone will be rendered inoperable for calling on all networks. This ensures the phone is unusable although it doesn’t protect any unencrypted information on your phone.

Fortunately, a few larger clinics and hospitals are beginning to address these concerns. If yours is a larger practice with a Blackberry Enterprise server and or Exchange Mail Server and your users exclusively use the corresponding phones (Blackberries, and Windows Mobile devices), you can remotely remove emails and some other sensitive information in the event of a loss or theft. Other alternatives are to deploy encryption software or use the expensive MobileMe services provided by Apple. For other organizations, Spearstone’s DiskAgent offering provides a multi-platform approach to smartphone security by allowing lock, data-wipe, and GPS-tracking from any web-browser.

About the author

John Lynn

John Lynn

John Lynn is the Founder of the, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference,, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • Actually, I don’t think resetting the phone will wipe data stored on a flash-card inserted in the phone. Even if the phone were to be completely bricked, the thief or finder could remove the memory card and insert it into a card reader to access the data stored on it. Probably the best bet would be encryption of all storage on the device, with maybe a built-in fingerprint reader to instantly unlock the device. Short of something like that, PHI has no business being stored on these devices.

  • Excellent guest post on security; as I wrote over at the Practice Fusion blog’s post on copier hard drives, many people don’t equate their smart devices with all all the potential risks that they’ve become familar with in traditional desktops or even laptops. We probably need a big summer movie on this technology before it becomes a public concern.

    I tend to agree with Seth: I’m not sure resetting to factory standards will stop a determined hacker/cracker. HIPAA’s Breach Notification Rule made a point of compromised data being unusable, not just inaccessible; at the moment, encryption sounds like the only option.

    Even though I personally agree with Seth’s last statement, I’m not sure how productive a solution that is. Prevention at this point is almost moot, since people are currently doing it and will continue to if they like the convience. Finding ways to better manage risk, develop contigency plans, and educate users on security are more proactive measures.

  • It’s just amazing that people think it’s safe to store any PHI on a smart phone. Although, maybe the issue is that they haven’t really thought about it. I agree with the assertion that the smart phone will likely become our computers. You’ll just plug it into some peripherals and you’ll have your computer with all its info. This is really exciting stuff, but will require extra levels of security.

Click here to post a comment