mHIMSS: Understand risks of mobile devices in healthcare
Zeller gave a presentation during the April 26 event on privacy and security of mobile devices in the healthcare setting. He shared that market adoption of smartphones is projected to be 68 percent in 2015, up from 12 percent in 2008. He stated that 58 percent of mobile employees are provisioned smartphones by their companies.
A mobile form factor is becoming less of a forward-thinking idea and gradually moving towards an initiative of keeping up with the Joneses, according to Zeller. With 26 percent of U.S. households completely wireless, “it’s not like you have a decision anymore.”
There are a battery of mobile applications which can be applied in the healthcare setting, including external (locate facilities or services, claims status, etc.) and internal (EHR access, dosage calculators, etc.). Zeller noted there can be two types of application types:
- Native: Built for a specific operating system
- Web-based: Optimized for viewing on mobile browsers
“The mobile arena is complex and you have to decide what you want to accomplish,” he said. Organizations have to understand the security risks including data loss and identity theft. Zeller advised that risk assessments should be performed to ensure understanding of the security risks.
“For our group, we are under the assumption you can’t eliminate all the risks,” he said. “The pace that both mobile and the threats out there is moving at [a fast pace.]… We all assume there is some residual risk and we really undertake the decisions and look at the controls to try and determine what we can do to make sure exposure is minimal and risks are reduced as far as possible.”
He added that with mobile devices in the healthcare workforce, there are various use cases and risks to be considered including:
- Email: Limited sensitive data
- Calendar: Limited apps
- File sharing: Increased volume of sensitive data
- Native apps: Safeguarding multiple apps
- Dictation: View and/or storage of electronic personal health information
Zeller added that additional risk is present when introducing personal mobile devices into the mix. Commingling of corporate and personal data poses a legal challenge for device wipe after loss/theft, he said. Dual use also restricts the ability to prevent undesirable/malicious app usage on the device and presents legal challenge during investigations.
Legal agreements need to be created for the use of personally owned devices as Bring Your Own Device (BYOD) requires legal and operational controls, he said. “A legal position should be defined to address overtime use,” Zeller said. “A separate acceptable use policy for personal devices is advisable.”
Kaiser Permanente does not allow the use of personal devices, Zeller clarified for the listeners.
mHIMSS is a globally-focused mobile initiative offered by Healthcare Information & Management Systems Society.