Friday, February 01, 2013

It Seems Smartphones And Sensitive Hospital Information Do Not Mix Well.

This appeared a few days ago.

Experts: mHealth poses privacy challenge

By Diana Manos, Senior Editor
Created 01/09/2013
Despite the potential of mobile healthcare, experts say they worry about the added risks of security breaches, privacy violations and other concerns that come with the increasing use of mobile technology.
Lisa Gallagher, senior director for privacy and security at the Healthcare Information and Management Systems Society (HIMSS), says the biggest privacy concern with the use of cell phones in healthcare is lost or stolen phones that contain unencrypted patient data.
Erin McAlpin Eiselein, an attorney and a partner at Davis, Graham & Stubbs, LLP in Denver, says one of the primary concerns for physicians engaging in mHealth is maintaining patient privacy of electronically stored protected health information or “ePHI.” 
“There are federal and state laws governing ePHI privacy and substantial penalties can be imposed for even inadvertent violations of these laws,” Eiselein warns.
 “In addition to privacy, the other main concern for physicians engaging in mHealth is security. The federal government requires all ePHI to be secured in a manner that protects it against unauthorized access. This requires physicians to take steps such as using passwords and encrypted files to protect ePHI,” Eiselein says. “Often, devices such as iPhones, blackberries, and iPads and the apps that physicians are using on those devices are not compliant with the security standards. Physicians who electronically store information directly on their smartphones have the greatest risk of running afoul of these privacy and security laws. Simply losing a smartphone can have important and expensive consequences.”
In the past couple of years, the federal government has very clearly put the healthcare community on notice that it is increasing its enforcement efforts in this area, according to Eiselein. The Department of Health and Human Services Office of Civil Rights (OCR) has issued a document called HIPAA Security Guidance stating that physicians and other covered entities should be “extremely cautious” about allowing remote or mobile access to ePHI. Enforcement has moved to the state level as well, and state attorneys general now have the authority to enforce HIPAA. In fact, the OCR is providing HIPAA enforcement training to state attorneys general in order to further this goal. 
John Halamka, MD, CIO of Beth Israel Deaconess Medical Center, warns in his blog that security will have to move beyond policy-based controls to technology-based controls that may cost up to $10 per device per month. At Beth Israel, where more than 1,000 mobile devices are in use, that could be a $150,000 per year increase operating expense to protect consumer devices brought from home.
The full article is here:
I find it interesting that the US is a good deal firmer on having electronic health information leak in any way and has a well established regime to at least ‘name and shame’ those who do not do the right thing. Major offenders face major fines and so on in the US.
Right now - as far as I know - we really have not got properly organised in this area. Anyone know if any serious progress has happened recently?

1 comment:

Paul Waite said...

David, there is going to be many Privacy concerns that the healthcare industry will face in the coming 18 months of which most practices and software vendors are not prepared for, not only mHealth.. it will be interesting to see what the industry bodies come back with to assist GP's and other healthcare providers