Lest anyone forget, the HITECH Act not only provides some $27 billion in financial incentives for healthcare providers to switch to electronic health records, it strengthens HIPAA privacy and security provisions and increases the penalties for violating HIPAA. This, according to one vendor, partially explains why some organizations have been slow to provide patients with mobile access to health data.
“Many healthcare providers and insurers still are on the sidelines when it comes to transmitting sensitive health information to patients’ mobile phones for a number of reasons,” says a new white paper from Diversinet, producer of a secure platform for developing mobile healthcare applications.
“There’s a lot of confusion in the marketplace about security and privacy,” Hussam Mahgoub, senior vice president for corporate development and research (and resident security specialist) at Diversinet, explains to MobiHealthNews. Mostly, providers are a bit scared after recent news that the Department of Health and Human Services fined Maryland’s Cignet Health $4.3 million for denying 41 patients access to their medical records and reached a $1 million settlement with Massachusetts General Hospital after a hospital employee left protected health information about 192 patients on a subway train.
While neither of these incidents involved mobile technologies—unless paper counts as a technology—the penalties should provide a wake-up call to any healthcare organizations looking to push data to mobile devices, according to Diversinet.
“The problem begins when the data starts leaving the server,” Mahgoub says. The Secure Sockets Layer (SSL) protocol for protecting data transmitted through Web browsers doesn’t necessarily provide end-to-end security, according to Mahgoub. “There could be an exposure in between [a server and a mobile browser].” Plus, mobile devices tend to get lost.
“In evaluating the security risks of accessing and storing PHI on a mobile device, healthcare providers and payers should assume that the security built into today’s mobile devices is not sufficient, regardless of operating systems, messaging capabilities or applications,” the Diversinet paper reads.
“I think the problem right now is at the device itself,” adds Mahgoub. Keep reading>>