How mobile health can abide by HIPAA

By: Neil Versel | Apr 20, 2011        

Tags: | | | | |  |

Diversinet MobiSecure HealthLest anyone forget, the HITECH Act not only provides some $27 billion in financial incentives for healthcare providers to switch to electronic health records, it strengthens HIPAA privacy and security provisions and increases the penalties for violating HIPAA. This, according to one vendor, partially explains why some organizations have been slow to provide patients with mobile access to health data.

“Many healthcare providers and insurers still are on the sidelines when it comes to transmitting sensitive health information to patients’ mobile phones for a number of reasons,” says a new white paper from Diversinet, producer of a secure platform for developing mobile healthcare applications.

“There’s a lot of confusion in the marketplace about security and privacy,” Hussam Mahgoub, senior vice president for corporate development and research (and resident security specialist) at Diversinet, explains to MobiHealthNews. Mostly, providers are a bit scared after recent news that the Department of Health and Human Services fined Maryland’s Cignet Health $4.3 million for denying 41 patients access to their medical records and reached a $1 million settlement with Massachusetts General Hospital after a hospital employee left protected health information about 192 patients on a subway train.

While neither of these incidents involved mobile technologies—unless paper counts as a technology—the penalties should provide a wake-up call to any healthcare organizations looking to push data to mobile devices, according to Diversinet.

“The problem begins when the data starts leaving the server,” Mahgoub says. The Secure Sockets Layer (SSL) protocol for protecting data transmitted through Web browsers doesn’t necessarily provide end-to-end security, according to Mahgoub. “There could be an exposure in between [a server and a mobile browser].” Plus, mobile devices tend to get lost.

“In evaluating the security risks of accessing and storing PHI on a mobile device, healthcare providers and payers should assume that the security built into today’s mobile devices is not sufficient, regardless of operating systems, messaging capabilities or applications,” the Diversinet paper reads.

“I think the problem right now is at the device itself,” adds Mahgoub.

Fragmentation in the marketplace doesn’t help matters.

“A large number of new entrants and small mobile health companies are providing targeted wireless personal health monitoring devices and services that collect and transmit health data. An even larger number of smartphone application companies have developed specialized mHealth apps for patient monitoring, scheduling medical appointments and medication reminders. At the other end of the vendor spectrum, well-established global technology service providers are adapting existing security products for the healthcare sector,” the white paper says.

“Many of these vendors have limited experience protecting mobile health information across multiple mobile devices.”

That, according to Mahgoub, puts the onus on healthcare organizations, otherwise known as covered entities under HIPAA. But, he says, HIPAA does not address “strong authentication” for users when they access PHI.

The white paper contains a list of nine mobile security best practices, such as encrypting PHI on mobile devices, authentication of users prior to transmitting PHI and automatic session timeout, logoff and device locking. Additionally, it lists 10 questions about mobile health data that healthcare organizations should ask when evaluating mobile technology.

Diversinet and Mahgoub recommend installing apps to turn devices into a kind of “wallet” for PHI. Sensitive data should be encrypted and the app should be able to deactivate or delete PHI from lost or stolen devices, just as banks and retailers can deactivate lost credit cards. And because not everybody has a smartphone, healthcare entities should consider encrypted SMS, too, Mahgoub says.

Diversinet also calls for two-factor authentication and greater adoption of unique security credentials for each user. This, Mahgoub notes, is exactly what the Obama administration is advocating in its new National Strategy for Trusted Identities in Cyberspace, a roadmap issued just last week for protecting consumers from fraud and identity theft. The White House says the voluntary plan, which calls for the building of an “identity ecosystem” where consumers can have a single, user-specific credential to log into any participating web site, will help the security-conscious financial and healthcare sectors make new online services available.

“HIPAA doesn’t address strong authentication,” Mahgoub says.