The Security Scrutinizer with Howard Anderson

Mobile Devices, HIEs and Privacy

Are Policies Keeping Up With Technology Rollout?

In the U.S. healthcare arena, the use of mobile devices, especially tablets and smart phones, is exploding. Meanwhile, hundreds of regional and statewide health information exchanges are gearing up to ease clinician access to records.

See Also: The Application Security Team's Framework For Upgrading Legacy Applications

But is enough being done on both fronts to protect patient privacy? I fear not.

If you don't have policies, it becomes the wild west of healthcare. 

During a half-day discussion of mobile device privacy and security issues convened March 16 by the Department of Health and Human Services, Lisa Gallagher pointed out that many healthcare organizations are ramping up their use of mobile before they have appropriate privacy and security policies, procedures and technologies in place. (See: Policies Lag Mobile Device Deployment).

"In a lot of cases, we're going back and catching up on the policies," says Gallagher, senior director of privacy and security at the Healthcare Information and Management Systems Society. Healthcare providers "are often deploying mobile devices before they are organizationally ready."

Adds Steven Heilman, M.D., chief medical information officer at Norton Healthcare, a five-hospital system in Kentucky. "If you don't have policies, it becomes the wild west of healthcare."

The wild west, indeed. So it's good to see HHS working on identifying best practices for mobile device security; better late than never. And HIMSS has already created a mobile security toolkit that's worth checking out.

HIE Issues

Meanwhile, the New York Civil Liberties Union has prepared a thought-provoking report on the privacy and security issues involved in health information exchanges (see: HIEs: Protecting Civil Liberties). Corinne Carey, the report's author, is concerned that the dozen HIEs now in various stages of development in New York - and hundreds elsewhere - are sharing data without first taking adequate precautions to protect patient privacy.

The state of New York already requires that patient consent be obtained before providers can access their information via an HIE - a requirement many other states have not adopted. But Carey wants the state to take the extra step of obtaining permission before any patient information is even uploaded into a system capable of sharing records, citing, for example, the potential for hackers to access the data.

Carey's report makes a long list of other recommendations. She's hopeful that regulators in New York and other states, as well as those at the federal level, will adopt many of the report's suggestions. The pending Nationwide Health Information Network Governance Rule, due out in the coming weeks, is widely anticipated to include many privacy and security guidelines.

Before HIEs kick into high gear - and before they're linked to form a virtual national network - it's important that all the appropriate security measures and privacy protections are in place. Otherwise, the public won't trust these exchanges, which could doom them to failure.



About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.