mHealth Congress: Privacy & security polices need updating for modern healthcare

BOSTON—Privacy and security regulations protecting personal health information (PHI) are undoubtedly necessary and important to maintain patient safety, but they are outdated and preventing providers from unleashing the power of mobile devices. These regulations require rethinking to meet the realities of modern healthcare delivery, according to presenters at the 4th annual mHealth World Congress.

“The problem is that the way we manage devices is predicated on older models where people sat places and did things,” according to Joshua Lee, MD, CMIO of the Keck School of Medicine of the University of Southern California in Los Angeles and its affiliated facilities. “This is not consistent with healthcare delivery models.”

Providers have an interest in using mobile devices in healthcare settings because they have the ability to make their jobs easier and to improve the care they provide. However, employers often set policies based on outdated regulations that prevent providers from performing their work as efficiently as possible.

“Avoiding liability can be difficult,” according to Deven McGraw, director of the health privacy project at the Center for Democracy and Technology, an open internet advocacy organization in Washington, D.C. Existing regulations, like HIPAA, “don’t incorporate challenges posed by new technology. If you have a security measure that providers don’t like, they’ll turn it off if they can.”

Discussions of privacy and security don’t occur in vacuum. It’s a real concern for healthcare administrators. In recent weeks, several healthcare organizations revealed that mobile devices were stolen from their facilities and that PHI may have been compromised. In a May 22 incident, a physician’s personal laptop containing information on nearly 4,000 patients was stolen from Beth Israel Deaconess Medical Center (BIDMC).

“The device was at a desk and a known felon walked in pretending to be a patient and took it out,” said John Halamka, MD, CIO of BIDMC. The thief has since been arrested and although the stolen laptop has not been recovered, there is little risk that PHI is in danger as the device was most likely sold on the black market and had its hard drive erased.

Despite the low risk nature of the incident, BIDMC will do more to enforce its policies and to help its employees protect their devices in the future. A policy that all devices must be encrypted and password protected (the stolen laptop was not) will continue, but BIDMC plans to set up kiosks where employees can actually have this accomplished for them. The organization will also institute an “automatic wipe” policy, meaning devices must be configured to erase all information if they are tampered with.

There are challenges. For instance, security concerns with the Android operating system may force BIDMC to tell employees they are not allowed to use Android devices at work. This potential policy and an automatic wipe policy may upset some employees and could inconvenience them, but Halamka believes it’s for the best.

The theft was “an expensive and time consuming activity,” he said. “The teachable moment that came out of this was that our longstanding policy was violated and it cost us a lot. Now we have to get into enforcement.”