Risk Management for Mobile DevicesGuidance on Privacy, Security Essential
Back at the turn of the century, I remember seeing the early versions of tablets and PDAs and predicting that mobile devices eventually would supplant PCs in healthcare - but only if the devices got smaller, lighter, cheaper and more powerful.
See Also: Passwords Alone Aren't Enough
And here we are. Powerful smart phones and tablets are everywhere. Physicians, nurses and others are using them routinely. And the Department of Veterans Affairs, the nation's largest healthcare provider, expects mobile devices to replace desktop computers for most clinical uses.
Are we ready to handle all the risks involved in the mobile revolution? I fear not.
But are we ready to handle all the risks involved in the mobile revolution? I fear not.
Just take a look at the list of major health information breaches and you'll notice that a majority of the incidents have involved lost or stolen unencrypted devices - most often mobile devices. Clearly, the industry has a long way to go in making the most of encryption, as well as carefully considering whether it makes sense to store patient information on mobile devices in the first place.
So it's good to see that some guidance on mobile device privacy and security best practices is in the works.
The Department of Health and Human Services announced this week that it's launching a project aimed at describing best practices (see: Mobile Security Best Practices Sought). HHS has a mobile device guidance document that dates back to 2006. So an update is long overdue, given the pace of technology development.
Meanwhile, Terrell Herzig, information security officer at UAB Health, tells me that he's working with the American Health Information Management Association on forthcoming guidance in the mobile arena. And that's good news too. Be sure to check out Herzig's mobile device policy tips in a recent guest blog.
Surely, the VA's groundbreaking effort to deploy about 100,000 iPads and iPhones by next year will offer plenty of "lessons learned" for the rest of us. Roger Baker, the VA's CIO, announced this week that the big push to roll out the devices won't come until a robust, enterprisewide mobile device management system is in place (see: VA's Use of Mobile Devices: An Update).
Baker says the mobile device management system, which will monitor all devices, "is going to play a pretty critical role for us." Using a mobile device management system could prove to be a best practice for other large organizations as well.
Meanwhile the BYOD trend continues, and organizations, including the VA, are figuring out how to accommodate the use of personally-owned devices for business purposes. This could prove to be the trickiest area for best practice development. But BYOD is here to stay, so security for personal devices needs to become a risk management priority.
If your organization has developed some mobile device privacy and security best practices, we'd be delighted to hear from you.