Learn about membership options orRegister for a non-member account
Log in / Register
Login / Register
The Office of the National Coordinator for Health IT will help small providers learn how to secure their smartphones and other mobile devices.
Research shows that about 81 percent of physicians use smartphones or tablet devices. The small size of these devices make them easy to lose on subways and airplanes and susceptible to theft. Yet few people safeguard them, such as by using encryption, making it easy for unauthorized users to access information.
The ONC has conducted research on mobile endpoint security, taking devices from local electronics stores and applying manual configuration, said Will Phelps, an IT security specialist in the ONC’s Office of the Chief Privacy Officer.
"You have to make sure that the devices are able to apply the appropriate security controls to make sure that the patient records are protected. We want to reach out to the provider community to make sure that they are able to do these things," he said during the Government Health IT conference, held this past week in Washington DC and sponsored by HIMSS.
The ONC has found that most mobile phones don't meet more than 40 percent of security requirements, such as the ability to encrypt information, Phelps said.
After manual configuration, test results improved significantly, he said – especially for the iPhone and Blackberry models, which met 60 percent of the security requirements. Other phones did not fare as well after manual configuration.
Initially, the ONC will focus on small and medium-sized providers. “They may not have an IT staff or third-party vendor to manage their devices for them, so we want to get them to a point where their devices are operating as securely as possible,” Phelps said, adding that the security configurations are available on the devices but must be manually configured.
The ONC will describe scenarios or use cases around which to offer practical information for mobile device security, said Kathryn Marchesini, an attorney in the ONC’s Office of the Chief Privacy Officer. These will include remote use from a coffee shop, sending e-mail or what to do if providers bring their own devices, which may not necessarily be credentialed in the organization, and whether they should be allowed to connect to the system’s network or not.
Some providers may not realize they need a policy around the use of mobile devices or that they need to take an inventory of mobile devices. “It may seem basic, but we hear every day that practicing providers are struggling with these issues," Marchesini said.
The Health Insurance Portability and Accountability Act (HIPAA) provides security guidance around remote use. The proposed rule for meaningful use stage 2 also calls for encryption of data at rest.
In its next phase, the ONC will test third-party vendor security tools applied to devices to see how well they score on information protection. Overall, the ONC plans to design outreach for vendors, providers and patients for security awareness around mobile devices and training.
The ONC is also incorporating in its mobile security outreach the regional health IT extension centers, which offer technical assistance in providers’ offices "to make sure we identify real scenarios and practical solutions," Marchesini said.
The ONC plans to develop best practices for securing mobile devices later this year.
More information about formatting options