Experts weigh in on using mHealth securely

By Molly Merrill
08:41 AM

Mobile devices have become as common as the stethoscope in patients' rooms since they're ideal for information sharing and time savings – but they pose huge security risks to patient information, experts say.

Sixty-four percent of physicians own smartphones and 30 percent of physicians have an iPad, with another 28 percent planning to buy one within six months, according to a recent Manhattan Research study. Today there are 10,000 mobile healthcare applications available  on the iPad, with a larger number of them created to provide access to electronic health records. Additionally, a third of physicians use their mobile devices to input to EHR while seeing patients, while the information is fresh.

However, the increase in the use of these mobile devices is exposing new risks to patient health information. In less than two years, from September 22, 2009, through May 8, 2011, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) indicates that 116 data breaches of 500 records or more were the direct result of the loss or theft of a mobile device, exposing more than 1.9 million patients’ PHI.

A panel of five experts in the fields of healthcare IT, security and privacy, data breach and identity theft share their insights below on how healthcare organizations and providers can optimize mobile health (mHealth) while protecting patients’ data:

  • "Many Wi-Fi networks in hospitals and doctor’s offices are not secure and coupled with the increased mobile device usage, patient data is at risk. Here are eight things you can do to protect sensitive patient data," says Rick Kam, president and co-founder, ID Experts, a provider of data breach solutions.
  1. Whenever possible, don’t store sensitive data on wireless devices. If required, ensure the data is encrypted.
  2. Enable password protection on wireless devices, and configure the lock screen to come on after a short period of inactivity.
  3. Turn on the Remote Wipe feature of wireless devices.
  4. Enable Wi-Fi network security. Do not use WEP, and only use WPA-1 with strong passphrases. Use WPA-2 if possible.  
  5. Change the default SSID and administrative passwords.
  6. Don’t transmit your wireless router’s SSID.
  7. Only allow your devices to connect by specifying their hardware MAC address.
  8. Implement a Wireless Intrusion Prevention System.”
  • “In many ways, digitizing patient information can make it more secure, but only if the proper security measures are in place," says Jill Arena, managing partner, Health e Practice Solutions, a consulting and technology solutions provider. "As we move to introduce iPad applications that integrate with physicians' EMR products, we can edit, route and capture signatures on patient forms without ever dropping them to paper. This allows physicians and their office staff to recapture valuable staff time, and it keeps paper forms with PHI, Social Security numbers and other sensitive information from floating around the clinic and potentially falling into the wrong hands.
  • “Anytime an organization extends information beyond its walls, a risk assessment should be conducted to determine the level of security controls, including monitoring of those controls," says Chad Boeckmann, president, Secure Digital Solutions, which specializes in privacy strategy. "Mobile devices are a great example of extending the enterprise. Organizations need to understand the complexities of securing mobile devices, applications and the people who use them as part of a well-rounded data security and risk management program.”
  • “In healthcare, doctors and nurses are increasingly using mobile computing devices and storage devices as part of their care giving activities, storing goldmines of patient information on them," says Rebecca Herold of Rebecca Herold & Associates, which develops information security, privacy and compliance tools and offers education and consulting. "Because of the combination of increased business and patient data storage and entrusting mobile workers with mobile computing devices, it is vital that an effective mobile computing device and storage media security and privacy management program is in place. Not only to meet HIPAA compliance requirements, but also to protect your patients and your hospitals and clinics. A key component is providing training and awareness to those staff using such devices. After all, doctors and nurses cannot protect information on mobile devices if they are not taught effective ways to do so. If you don’t provide security knowledge to those using mobile devices, privacy breaches will occur.”
  • “Mobile isn't just a convenient new gadget or toy," adds Robert Siciliano, CEO of, "personal security and identity theft's a huge target for criminal hackers and needs to be treated accordingly.