Mobile Health Implementation
Mobile health (also known as m-health or mHealth) implementation is a term used in reference to planing, designing and integrating mobile health technologies (both hardware and software) into a healthcare or healthcare related organization.
Contents
Definitions
Mobile health implementation is the process of using all mobile wireless devices (mDevices), applications and related technologies to improve and advance the services provided by healthcare professionals.
management implications
security implecations
Management Considerations
Triage
Clerical overhead
Categorization and redirection
Selective access to providers
Archiving and backup
Forbidden topics
Selective confidentiality
Encryption
Application Categories
from lecture-mhealth
Patient Communication / Personal health records
Web-based Resources
Point-of-care Documentation
Disease Management
Education Programs
Telemedicine
Administrative
Professional
Financial
Emergency care
Public health
Pharma/clinical trials
Body area networks (BAN)
Security Risks
With mobile devices getting smaller and smaller and with more clinicians using them both within and outside their workplace, the risk of loss or theft looms large over the healthcare environment. Afterall, theft or loss of mobile devices leads the list of health information breaches found at the Department of Health and Human Services website.
black market price of identity
- assume built in security is not adequate which places the problem on the device itself.
- Fragmentation - diversity of mobile products in the marketplace
vendors lack experience with security measures across multiple mobile devices.
HIPAA Security Requirements
Security Measures
Because of the proliferation and variety of mobile devices being used in the healthcare industry, it is that much more important to understand the precautions that must be in place in order to comply with the standards required by HIPAA.
HIPAA Guidance - HIPAA Security Guidance for Remote Use of and Access to Electronic Protected Health Information http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/remoteuse.pdf
white paper
The Journal of AHIMA has publish safeguards against loss or theft of your mobile device. These safeguards include:
- Never leaving mobile devices unattended.
- Identify your mobile device by affixing a business card or ID tag to it
- Invest in a tether or cable lock to secure your laptop to something stationary such as airport seating or and office desk
- Install office security cameras to deter over-confident thieves
- Minimize the amount of sensitive information on the device
- Protect USB storage devices with passwords
- Disable USB ports
- Turn off wireless file transfer capabilities
- Password protect the BIOS to prevent disk access through changing the BIOS configuration
- Create a user account password and remove guest accounts
- Require manual log on for VPN connection
- Invest in tracking software
- Encrypt the file system
- Use a firewall when accessing public/private networks
Yale University also has Protected Health Information (PHI) Security Compliance policies. They are :
- Implement a lock-out setting after more than 10 failed attempts
- Cap message storage at 200 or 14 days of messages
- Require all applications to meet HIPAA security standards
- Keep the operating system and all software current with latest security updates
- Subscribe to a remote deletion service
- Prohibit use of unauthorized software and hardware
- Require VPN services when connecting to organization network via digital cellular
- When transferring files, only allow secure file transfer protocol (SFTP)
- Only store protected health information (PHI) on IT department-owned servers
- Install and use privacy filters if screens display PHI
- Securely destroy or delete PHI when upgrading or disposing of mobile devices
- Disable emails auto-forwarding feature
Evaluating Mobile Technology
Diversenet, a mobile technology company, has developed 10 questions that can be used to better evaluate a mobile health vendor and their product's level of compliance to HIPAA regulations. The questions listed here are taken directly from the Mobile Health and Security White Paper.
- Do you provide security for PHI data over and above the general security features of the phone’s mobile browser and application platform?
- If so, what forms of data security do you include in your solution?
- Data encryption
- Strong (two factor) authentication for the user and the server
- Integrity and Non-Repudiation of PHI – Assurance that PHI data has not been changed or opened by an unauthorized party
- If you provide encryption for PHI data as part of your solution, is the encryption end-to-end from the secure server to a secure client on the mobile device? Is data encrypted while stored on the mobile device?
- Does your solution support encrypted text messaging (SMS)?
- Can your solution be extended to protect PHI data in multiple applications (including those from other vendors) and mobile browsers, or is it limited to use with the solutions that you offer?
- Do you provide a method for your customers to remotely delete all covered PHI data from lost or stolen devices?
- On what mobile devices does your solution currently operate? If there are some mobile devices that are not covered, how is PHI data on these devices supposed to be protected?
- Is your company primarily focused on the healthcare sector and the protection of mobile health data and services?
- If you provide a general mobile security or other services for multiple industries, what percentage of your customers are in healthcare?
- Can you provide reference accounts that have moved beyond pilot projects and fully implemented your solution?
- What security standards are utilized in your solution?
- Have you received any security certifications?
- Does your solution provide all of the Technical Safeguards listed in the HIPAA Security Rule (both Required and Addressable)?
- If not, what Safeguards are not provided?
Other Considerations
Device interoperablility Clinical grade mHealth securing wireless transmissions Encryption Authentication Data integrity Outdated techologies and legacy systems Tessier
Other Considerations
Mobile Device Limitations
Mobility Trends in Healthcare
Aruba Networks, Inc conducted a survey...
Sources
References
http://mobihealthnews.com/10747/how-mobile-health-can-abide-by-hipaa/
http://www.arubanetworks.com/pdf/solutions/HIMSSSurvey_2012.pdf
https://www.ahimastore.org/ProductDetailBooks.aspx?ProductID=14383