Safeguarding patient information in the mobile health era
We’re one month post-HIMSS13 and everyone’s still buzzing about how mobile health (mHealth) will impact the healthcare industry this year. Don’t believe me? Just check out these articles from The Huffington Post, The Washington Post and the New York Times. And we’ve been tracking the trend here on the Dodge blog with two recent posts around the subject from Brian Parrish and JD Sparks.
Brian and JD’s articles really got me thinking. With so many people now using cell phones and tablets to quickly share health data and manage care, is personal health information less secure on a mobile device than on a desktop? If I lost my mobile device, for example, is it easier for someone to get their hands on my personal health information by, say, simply clicking into my patient portal application? And who is making sure all of this sensitive information is safe?
That’s where folks like Tommy Allsup come in. A 19-year industry veteran, Tommy is the “director of awesomeness” at PointClear Solutions—a software development company specializing in user experience design for healthcare technology companies. The head of PointClear’s mHealth strategy practice by day and mHealth security superhero by night, part of his responsibilities include ensuring the mobile applications PointClear designs and develops are fortified against security breaches. Essentially, he has the important job of making sure mHealth applications are architected in a way that safeguards patient information. I chatted with Tommy to answer some of my questions and learn about how mHealth solutions are developed to meet the healthcare industry’s stringent security needs.
Dodge: As mHealth continues to grow, why is it important to design secure applications?
Allsup: Security breaches are very expensive for patients, providers and healthcare organizations alike. I learned this during my time working for a company that handled security breaches for the healthcare industry. When phones with patient data disappeared, we had to jump through hoops to try to remotely remove data before it reached prying eyes. If there was an exposure, there were lots of internal measures we’d take to ensure more patient data wasn’t leaked. I’ve seen some companies risk losing thousands of dollars just because someone misplaced a laptop or cell phone with sensitive patient or organizational data. This experience taught me that as an industry, we have a responsibility to protect patient data. Now, as someone who helps design mobile applications that are used by healthcare organizations and patients, it’s my obligation to ensure the proper security features are in place to fully protect patient data.
Dodge: Explain how you make sure the mHealth applications your team develops are secure.
Allsup: As we’re architecting a new mHealth application, we think about security at every step of the design and development process. In fact, it’s one of our first considerations at the outset of any project. One of the most important things we do is identify the application components that involve the exchange of protected health information (PHI). This type of data is identifiable and can often contain names or financial information. We design an application around PHI to limit the amount of information that is stored on a device and ensure that this data is separated from more generalized health data. When we start testing the application and transmitting data, this helps us know exactly how we need to encrypt data to protect it at rest or in motion.
Dodge: What are the most common misconceptions about the development of mHealth technology?
Allsup: One of the biggest misconceptions among patients and providers is that if a mobile application is secure, it’s not user-friendly. In other words, if there are multiple safeguards, some think the application is going to be clunky to use. In fact, the opposite is often true. The key to combating this misconception is designing security features that are as user-friendly as our technology. For example, mobile devices don’t have keyboards so we’ve leveraged touch screen functionality that enables users to draw passwords instead of typing them. We’re also closely following the biometrics security trend, where users are identified by fingerprints or eyes
Dodge: How can healthcare organizations help patients and providers avoid security breaches on mobile devices?
Allsup: Make sure your organization has a security policy. You can have all the high-tech safeguards you want in place, but if people don’t take the right precautions, like locking their phones after use, you run the risk of a breach. When looking to roll out a new mHealth application, do your research and ask your vendor partners a lot of questions about security features. Make sure the application is HIPAA-compliant. Be sure that patient data is encrypted in motion and while at rest. Make sure your partner provides you with a document outlining all the things they’ve done to ensure the application is protected. And make sure the technology is easy to use while you’re at it.