The Lifecycle of PHI and Mobile Device Insecurity
Rick Kam, President and co-founder ID Experts
Mobile devices have become notorious for unintended exposure of protected health information (PHI).
Between September 22, 2009, and May 8, 2011, for instance, mobile devices were the cause of exposing the PHI of more than 1.9 million patients, a statistic cited in The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security, a seminal report by the American National Standards Institute (ANSI), The Santa Fe Group/Shared Assessments Program Healthcare Working Group, and the Internet Security Alliance (ISA).
The term “mobile device” is often synonymous with a cell phone. But, as AHIMA notes, mobile devices span the spectrum of form, wireless accessibility, and processing capabilities to include everything from thumb drives and external hard drives to smartphones, tablets, and laptops.
Healthcare professionals are rushing to take advantage of the variety of mobile devices: a survey of nearly 3,800 physicians by QuantiaMD estimates that “83 percent of physicians own at least one mobile device and about one in four doctors are ‘super mobile’ users who leverage both smartphones and tablet computers in their medical practices.” It’s almost certain that the rapid adoption of electronic health records (EHRs) is accelerating the use of mobile devices in medicine.
Mobile devices offer convenience and almost unlimited applicability to doctors and other medical professionals — communicating with patients, collaborating with colleagues (telemedicine), ordering drugs, and inputting patient data during visits, to name a few. On the consumer side, patients use mobile technology to access to their medical information, to refill prescriptions, or make appointments.
The increased use of mobile devices in medicine is causing headaches for security and privacy professionals. But the risks are as varied as the devices themselves. A careful analysis reveals security weaknesses at many levels.
“Never Leave Home without It”
This old-but-famous American Express slogan applies to our society’s mentality about mobile devices. David Allen, CTO of Locaid, says that people feel more “attached” to their phones than their wallets. With all the functionality, apps, and data a smartphone provides, these devices have become a virtual representation for their owners.
And this virtual representation has extended to the workplace. The bring-your-own-device (BYOD) phenomenon is just that, a phenomenon. Many people do little or nothing to protect their devices. Passcodes, encryption, and other security measures are often beyond the scope of convenience.