Will Growth In Mobile Use Compromise HIPAA Compliance?

There’s little doubt that giving doctors mobile access to data via their personal devices can be valuable. We’ve probably all read case studies in which doctors saved a great deal of time and made the right clinical call because they reached to via an iPad, smartphone or Android tablet.

And this is as it should be. We’ve been working to push intelligence to the network for at least the two decades I’ve been writing about IT.

That being said, we haven’t yet gotten our arms around the security problems posed by mobile computing during that period, as hard as IT managers have tried.  Adding a HIPAA compliance requirement to the mix makes things even more difficult. As John wrote about previously, Email is Not HIPAA Secure and Text is Not HIPAA Secure either.

According to one security expert, healthcare providers need to do at least the following to meet HIPAA standards with mobile devices:

  • Protect their private data and ePHI on personal-liable (BYOD) mobile devices;
  • Encrypt all corporate email, data and documents in transit and at rest on all devices ;
  • Remotely configure and manage device policies;
  • Apply dynamic policy controls that restrict access to certain data or applications;
  • Enforce strict access controls and data rights on individual apps and services;
  • Continuously monitor device integrity to ensure PHI transmission;
  • Protect against malicious applications, malware and cyber threats;
  • Centrally manage policies and configurations across all devices;
  • Generate comprehensive compliance reporting across all mobile devices and infrastructure.

Just a wild guess here, but my hunch is that very few providers have gone to these lengths to protect the ePHI on clinicians’ devices.  In fact, my sense is that if Mr. Bad Guy stole a few iPads or laptops from doctors at random right now, they’d find a wide open field. True, the thief probably couldn’t log into the EMR(s) the physician uses, but any other clinical observations or notes — think Microsoft Office apps — would be in the clear in most cases.

Being a journalist, not a security PhD, I can’t tell you I know what must be done. But having talked to countless IT administrators, I can definitely see that this is a nasty, hairy problem, for many reasons including the following:

–  I doubt it’s going to be solved by a single vendor, though I bet you will be or are already getting pitches to that effect  — given the diversity of systems even a modestly-large medical practice runs.

– Two factor authentication that locks up the device for all but the right user sounds good, but add-ons like, say, biometrics isn’t cheap.

– Add too many login steps to doctors already tired of extra clicks and you may see mass defections away from EMR use.

– Remotely managing and patching security software on devices with multiple operating systems and network capabilities is no joke.

If you feel your institution has gotten a grip on this problem, please do chime in and tell me. Or feel free to be a mean ol’ pessimist like myself. Either way, I’d love to hear some of your experiences in protecting mobile data.  Maybe you have a good news story to tell.

About the author

Anne Zieger

Anne Zieger

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.


  • I wouldn’t have said this a few years ago, but after working in an institution where virtual desktop solutions (a la Citrix or VMWare) are implemented, I think that many security issues will be able to be addressed through thin client-like models. If I’m using an iPad (even my own iPad) to access a virtual desktop that provides all my patient-related tasks, then even if my ipad gets stolen, PHI would generally remain safe.

    Were I a present-day EHR vendor, I’d start designing interfaces that work well when accessed via touch-screen devices that are using remote-desktop software, in preparation for a future when it is standard practice for all clinical staff to carry around iPad-like devices.

  • Daniel L,
    I agree that a thin client model can solve many of the security issues with mobile devices like an iPad. The core question is whether a touch screen (iPad) application using a thin client “virtual desktop” can create a great user experience or not. Plus, even if it creates a similar user experience to a native touch screen app, will it be able to overcome the issue of data consumption vs data entry. Tablets like the iPad are great at consumption, but have yet to show great data entry.

  • I believe time has already proved this question to be true! BYOD has also proven to be too great a risk…The real question should be: How Much Risk Is Acceptable To Your Business?

  • BYOD is real! The most often used application on these devices seem to be Multimedia messaging. The ePHI shared between Physicians and Nurses is in clear and go through service providers’ networks. This application needs to be protected first.

  • This is another reason why BYOD is a symptom of a disease, not the cure. The users have spoken and now it’s time for vendors and hospitals to deliver the right tools for the job in a secure environment.

Click here to post a comment