The healthcare industry has certainly felt the affects of the Bring Your Own Device (BYOD) trend. More often than not doctors, nurses, and other clinical support staff carry mobile smartphones and tablets.
According to the article The Usage of Tablets in the Healthcare Industry, doctors and nurses were some of the early adopters of smartphone technology and are the largest group of users in the healthcare industry today. The Healthcare Daily stated, “81% of physicians use mobile tools to collect, store, or transmit patient information.”
Mobile technologies, in particular tablets, have been a boon to healthcare making it easier to review, update, and exchange patient information. Use of personal smartphones and tablets in hospitals and clinics also carries with it the risks of BYOD, namely the potential for bringing malware into the enterprise network and sending proprietary data out to parties who shouldn’t get it.
But whereas BYOD security issues are problems for enterprise companies, in the healthcare industry it is the patients – in other words the customers – whom are affected the most by BYOD, if their private health information is exposed or lost.
Patient Data Privacy Risks
The threats to patient data privacy posed by computer-based record keeping are not new. Back in the old days – about 10 years ago – a significant amount of patient information was maintained on computer systems that, in many cases, were connected to the Internet. Even then it was easy enough to send patient records via email or browsers to any number of recipients who may not have been the intended recipients. But it required computer operators sitting in front of terminals or networked personal computers to access the data and direct it out of the hospital or clinical setting.
With the advent of smartphones and social networking, patient data can be readily and more easily accessed by a larger number of people than ever before. One of the potential problems of BYOD is that professional and personal applications can reside together on any given mobile device. Doctors and nurses who pull up patient data on mobile phones, which they also use for social networking, could purposely or inadvertently send out sensitive patient data to services such as Facebook or Google+ where the information has the potential to go viral on the Internet.
Storage of patient data on mobile devices is a potential problem: patient data can easily, and literally, end up in the wrong hands if smartphones, tablets, or laptop computers are either unsecured or lost.
Cloud storage is another easy means for patient information exposure. There are many services – SafeSync, Dropbox, Box, Google Drive, just to name a few – that provide multi-gigabyte storage for free and they all provide mobile applications. Patient data stored in the cloud is accessible from nearly anywhere on any mobile device that has the right cloud storage client app and login account information. Sometimes you don’t even need that.
DropBox provides a public folder for each account that anyone can access with a browser, without login credentials and without the DropBox client app, if the URL of the public folder is known. All it takes is for a healthcare professional to place some patient records into a public folder such as this and then email the URL (or worse broadcast on social media) to make those records available to anyone with a single click of the mouse.
Current Privacy Regulations
Even before the mobile technology era government officials have been concerned about protecting patient privacy. On August 21, 1996 then President Bill Clinton signed into law the Health Insurance Portability and Accountability Act (HIPAA).
Under the law patient data cannot be disclosed without patient consent unless it is necessary to administer benefits, payment, or healthcare. HIPAA mandates that healthcare providers inform patients of their privacy practices. Providers must also disclose whether they are under investigation by the Department of Health and Human Services (HHS) for privacy or other violations. HIPAA acknowledges that patients own their information records and deserve to know who has access to their records.
HIPAA was followed in 2009 by President Obama’s signing of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which widens the scope of privacy and security protections available under HIPAA. Three of the key provisions of the act are:
- Enforcement – Mandatory penalties are imposed for healthcare organizations that “willfully neglect” to protect patient data to include fines up to $250,000 with repeat or uncorrected violations reaching penalties of up to $1.5 million dollars. The intent of this provision is to make compliance with HITECH far more costly to organizations than noncompliance
- Notification of Data Breach – Patients must be provided notification of any unauthorized access or disclosure of unsecured patient information. If a breach impacts more than 500 patients, HHS must also be notified. HHS will in turn post notification of such a data breach on the HHS website
- Electronic Health Record (EHR) Access – Any healthcare provider that utilizes an EHR system must furnish patients with their healthcare information in electronic format upon request
The HITECH Act comes at a good time in this world gone mobile of ours. It empowers patients to take action against organizations and people who violate their privacy through gross negligence or willful actions.
What are your concerns about personal patient data? Are there laws beyond the U.S. that you think are good models for the handling of patient data on consumer devices? Please let us know in the comments below!
If you would like to learn more about HIPAA and the HITECH Act, please consult these resources:
I work for Trend Micro and the opinions expressed here are my own.