The Security Scrutinizer with Howard Anderson

Risk Management for Mobile Devices

Guidance on Privacy, Security Essential

Back at the turn of the century, I remember seeing the early versions of tablets and PDAs and predicting that mobile devices eventually would supplant PCs in healthcare - but only if the devices got smaller, lighter, cheaper and more powerful.

And here we are. Powerful smart phones and tablets are everywhere. Physicians, nurses and others are using them routinely. And the Department of Veterans Affairs, the nation's largest healthcare provider, expects mobile devices to replace desktop computers for most clinical uses.

But are we ready to handle all the risks involved in the mobile revolution? I fear not.

Just take a look at the list of major health information breaches and you'll notice that a majority of the incidents have involved lost or stolen unencrypted devices - most often mobile devices. Clearly, the industry has a long way to go in making the most of encryption, as well as carefully considering whether it makes sense to store patient information on mobile devices in the first place.

So it's good to see that some guidance on mobile device privacy and security best practices is in the works.

The Department of Health and Human Services announced this week that it's launching a project aimed at describing best practices (see: Mobile Security Best Practices Sought). HHS has a mobile device guidance document that dates back to 2006. So an update is long overdue, given the pace of technology development.

Meanwhile, Terrell Herzig, information security officer at UAB Health, tells me that he's working with the American Health Information Management Association on forthcoming guidance in the mobile arena. And that's good news too. Be sure to check out Herzig's mobile device policy tips in a recent guest blog.

Pioneering Effort

Surely, the VA's groundbreaking effort to deploy about 100,000 iPads and iPhones by next year will offer plenty of "lessons learned" for the rest of us. Roger Baker, the VA's CIO, announced this week that the big push to roll out the devices won't come until a robust, enterprisewide mobile device management system is in place (see: VA's Use of Mobile Devices: An Update).

Baker says the mobile device management system, which will monitor all devices, "is going to play a pretty critical role for us." Using a mobile device management system could prove to be a best practice for other large organizations as well.

Meanwhile the BYOD trend continues, and organizations, including the VA, are figuring out how to accommodate the use of personally-owned devices for business purposes. This could prove to be the trickiest area for best practice development. But BYOD is here to stay, so security for personal devices needs to become a risk management priority.

If your organization has developed some mobile device privacy and security best practices, we'd be delighted to hear from you.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.