You know all those shiny iPads in the hands of doctors? The ones that are used during office visits, replacing the old paper charts? Now that doctors are embracing Electronic Health Records and working overtime to ensure that they can prove Meaningful Use, we’ve introduced a new unintended consequence. We’ve introduced another opportunity for the compromise of sensitive patient records.
In the last two years, HHS reports that there have been 116 data leaks of 500 records or more, compromising more than 1.9 million patients’ personal health information. Was there are break-in at a hospital data center? No, nothing that exciting. All these security breaches were the result of a lost or stolen mobile device that stored patient medical records… So in these cases it didn’t matter how secure the hospital or physician practice server was. Mobile devices have the ability to extend the enterprise beyond the office or hospital, and this is where data vulnerability is introduced…
Interestingly, just as the FDA is considering regulating some smartphone apps as medical devices, we may see the HHS Office of Civil Rights, the folks who prosecute HIPAA violations, begin looking at minimum security requirements for mobile EHR applications.
There are some common sense steps for which app developers should be responsible. Keep the patient records in the “cloud” and only access them on the tablet when needed. Or insist on encryption of the data with at minimum WPA-1 security passwords (ask your network administrator…) and set up the device to lock after a short period of inactivity. But even more important are the common sense behaviors that should be taught to health care professionals when they are handed their new mobile EHR device.
I used to wonder how safe my chart was resting in the manila file folder on the outside of the exam room. Now should I be wondering about the whereabouts of my doctor’s iPad?