Mobile Devices in Healthcare: High Rewards, High Risks

Mobile Devices in Healthcare: High Rewards, High Risks

June 27

Healthcare IT will have to contend with mobile technology—mHealth as it has come to be called—whether it likes it or not. In a BYOD (bring your own device) world built on pervasive wireless Internet access, infrastructure takes on an entirely new meaning. Healthcare providers’ IT departments didn’t ask for devices offering untethered access to electronic health record (EHR) systems. Doctors did.

As a global technology vendor executive recently told session attendees at a recent government health IT conference, the sector is amidst an ecosystem change, “a fundamental and material shift” based on “the notion of intelligent processors being attached to everything.” He confidently predicts mHealth will transform healthcare in much the way the Web changed retail.

Hospitals and other care providers tolerate mobile devices like pads, tablets, and smartphones, because doctors and their colleagues like them. Many providers see the potential for greater patient engagement, hence better outcomes, through mobile devices. That, and practitioners’ fondness for on-demand data exchange, has increased EHR utilization, a key factor for organizations who need to show Meaningful Use in order to retain their federal incentive dollars. So far, so good.

But every silver lining has a cloud: healthcare data security issues will never be the same and always more difficult, more complex, and more vital to the well-being patients, providers, and payers alike. It’s not just HIPAA, either.

Two disruptive technologies are converging simultaneously. One, EHRs, represent a major upheaval in every process in the continuum of care, including business processes. Mobile devices have turned out to be the unanticipated disruption, affecting hardware and software use and development alike. When they converge in mHealth, systems of record now also become systems of engagement.

Healthcare system administrators must now accept the fact they face security problems unimaginable when the Bush administration first announced a national initiative to standardize EHRs. Their subsequent implementation, as mandated by the ACA, put all of healthcare in the middle of the greatest widespread changes to healthcare since the Flexner Report led to the establishment of science-based medicine as standard practice in the US in 1910.

Now, amidst the noise, dust, and confusion of EHR adoption, healthcare IT departments have to find ways both to provide access and security for what amount to ad-hoc networks notable for the varieties of hardware and operating systems employed. Tightly controlled and monitored networks are strictly passé. Healthcare IT security must contend with the possibility for infinite variation while meeting HIPAA’s stringent requirements.

Policy, enforcement, and user training regarding mobile devices in the workplace can take care of about a half of all security breaches, according to Health and Human Services, who cite insider access and lost or stolen hardware like notebooks and tablets as sources of grief. Hackers, bane of IT security worldwide, account for only about 12 percent. Breaches in paper records, about a quarter of the total, will likely decline as older records are disposed of or archived properly and paper use (it isn’t going away) is better managed.

That brings us back to hackers. Attacks now target high-value data repositories. No longer content to basking in that oxymoronic combination of widespread notice for one’s malicious, anonymous work, modern cybercriminals want to sell data they steal or use it for fraudulent claims. (Medicare is a big, big target.)

Hacker tools are modern, too, and far more sophisticated than the simple viruses and worms of the Internet’s good old days. Detecting malware has become as much art as science. Once, blocking viruses and worms based on digital signatures – their binary code’s “shapes,” if you will – could thwart most attacks. Their replacements, botnets and the like, have no easily distinguished signatures and must be identified instead by their behavior. Even under the best of current circumstances, they may still escape detection until after they act – like so-called zero-day exploits that target previously unknown vulnerabilities.

Healthcare IT is at a cultural turning point. Though reduced to near-cliché status, the expression “with great power comes great responsibility” applies more than ever to healthcare IT. Once, system administrators only had to deal with the responsibility of wielding power, usually by limiting access. Now they have a new role, protecting the power of universal access.

Photo Credit: Tax Credits via Compfight cc