Mobile technology has undoubtedly advanced, as today’s smartphone possesses more computing power than NASA did when we first put man on the moon. Power without purpose, however, is chaos and privacy and security are not ancillary considerations in today’s healthcare world.
Mobile technology in healthcare is an even more complex system. Mobile health technology is not just limited to smart phones and falls into three categories: Consumer/independent application, enterprise/system enablement and telehealth. There are more than 100,000 different patient or consumer-based mobile health and fitness applications (apps), including weight-loss or diabetes monitoring apps. And on the enterprise/system side, every major EHR vendor has at least one mobile app, whether it be physician-facing communication or drug reference app. Lastly, telehealth has some of the most exciting resources, from video calls with providers to answer questions to remotely guided procedures.
But mobile healthcare is not without its challenges. The fundamentals of privacy, security and data integrity cannot be forgotten or overlooked. Consumer demand has pushed smaller/lighter solutions for mobile access. “Smaller and lighter” are also easier to lose, to move and to steal. Lost or stolen laptops accounted for nearly half of all HIPAA violations reported in 2013. Business associate failures accounted for another 20 percent. So how can these risks be mitigated or avoided?
Let’s start with devices. First, use the inherent device security. Almost all mobile devices have the ability to set a password, and many have the ability to be located when lost. These are no-cost solutions which should seriously be enabled. However, this is only the first step. Devices that contain data must go beyond simple control methods and have encryption enabled to secure the contents.
Second, take the time to review any application which has protected health information (PHI). Is the data stored on the device or is it stored at another location? How is it stored? Is it encrypted? How do you log-in or authenticate that you are who you say you are? Who stores the data? Are they HIPAA complaint in their actions? These are “risk assessment” questions every provider should ask.
And how do HIPAA business associates (BAs) fit into this whole mobile world? The curbside consult or dialog between two providers is a normal, active and critically important part of the healthcare system. In our ever increasingly mobile world, these consults often occur via mobile devices. Is it okay to text a message provider to provider? What about a quick email? In today’s mobile healthcare world, these actions are part of a normal BA relationship. As such, both parties have a responsibility and liability for the privacy and security of the data. Open, insecure message formats, like short messaging service (SMS) do not pass muster for privacy and security. Neither does traditional email. Secure texting solutions, encrypted email, Direct Secure Messaging are ways to communicate securely via a mobile device.
The printing press heralded the Renaissance and the world changed. Mobile computing and the power of collaboration may be the printing press of the healthcare renaissance. We must start by asking, “what should we do” and “what can we do” while remembering our Hippocratic responsibilities of doing no harm and doing good. With these fundamentals in mind, mobile healthcare may bring the art of care and the science of medicine together like never before.
Andy Nieto is the Health IT Strategist for DataMotion, a health information service provider (HISP) with 15 years of experience in secure data delivery.
