Protecting Patient Data on Mobile Devices: New HHS Guidance

Marcia Frellick

December 14, 2012

With patient data increasingly transferred via smartphones, laptops, and tablets, physicians and other healthcare providers are facing increasing challenges in keeping the data safe.

Now there's help from the US Department of Health and Human Services (HHS), which opened an online portal December 12 with tips, fact sheets, posters, and videos to help providers lock down private information.

The initiative, "Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information," is available at on HHS' HealthIT Web site. The site includes advice on topics such as:

  • Encryption: This converts the data so that no one can read it without the decryption key or password. It prevents unauthorized access while the data is in transit — for instance, when accessing an electronic health record system or receiving lab results. Some devices come with built-in encryption. If not, users need to download an app.

  • Passwords: Strong passwords need at least 6 characters, a mix of upper and lower case, and at least 1 number and 1 punctuation mark.

  • Remote disabling: This allows users to erase data if the device is lost or stolen. You can temporarily delete the data remotely and unlock it if the device is recovered.

  • Setting up a firewall: If an authorized user is trying to access your data, a firewall can block the attempt. If your system has a built-in firewall, research your device to enable it.

  • Using automatic log-off: Configure a device to log off after a period of time you specify.

  • Using public wi-fi: If you're transmitting data in a coffee shop or airport, use a virtual private network (VPN) or a secure browser (one with https in the Web site address rather than http). Otherwise, people nearby can tap into and even download the data you're transmitting.

  • Verifying app functions: Downloading the wrong mobile app could copy your address book or private data to an unauthorized user without your knowledge. Research the app and read reviews you trust to make sure it performs only the functions you request.

  • Hiding your screen: A privacy screen can keep others around you from seeing what you're seeing.

  • Disposing of devices: Data must be properly deleted before the device is destroyed or reused.

The portal also offers healthcare organizations advice on topics including setting up a systemwide review of how the devices will be used and whether staff may use personal devices for work; setting up a VPN or other secure network for transmissions; and training staff members on use, regulations, and how to report incidents of compromised data.

Mobile technology is quickly becoming standard in healthcare communications. Most physicians — 81% according to Manhattan Research — have already made the switch to smartphones, for instance. However, while mobile technology can make healthcare documentation and communication more efficient and convenient, using the tools incorrectly can have disastrous results.

According to a December report by the Ponemon Institute, a data privacy research firm, 94% of healthcare organizations studied had at least 1 data breach in the past 2 years, and 45% reported more than 5 incidents in that time. Lost or stolen computing devices were among the top 3 sources for the breaches.

A recent report by the accounting firm Kaufman Rossin & Co. found that data reported to the federal government showed that individuals affected by healthcare data breaches doubled from 5.4 million in 2010 to 10.8 million in 2011, though the actual number of breaches decreased in that time.

In addition to the financial losses, the breaches put providers' reputations at risk.

"The loss of health information can have a devastating impact on the trust that patients have in their providers," Joy Pritts, chief privacy officer for HHS' Office of the National Coordinator for Health Information Technology, said in a statement.