(PDF 218 KB)
Patient information has to be protected, whether it is on a desktop computer, an iPad, a tablet PC or a smartphone, said Rob Melendez, MD, MBA, a comprehensive ophthalmologist at a private practice in Albuquerque, N.M. And the increasing prevalence of mobile computing poses new challenges as you strive to keep sensitive data from prying eyes.
Two major concerns for data security. “What happens if your device falls into the wrong hands?” said Rob McCord, chief technology officer for Digital Acumen, a technology consulting firm. And you should be aware that if you’re out and about with your mobile device, “it’s very easy for someone to capture the raw stream of data just as you’re going by.”
Fortunately, ophthalmic practices can lower the risks substantially by adopting clear, well-enforced policies about mobile computing and by installing firewalls and low-cost security applications (“apps”) on all mobile devices, said Mr. McCord.
Be Prepared for Loss of the Device
Auto-lock your phone. Set your mobile device to lock automatically between uses and to be unlocked with a password, said Mr. McCord.
Find your missing device with geolocation. Mobile security apps, such as Find My iPhone, Mobile Defense (for Android and other systems), Lookout (Android) and Find My Phone (standard on Windows Phone 7), can help you recover your phone—but only if the device’s geolocation function is turned on. Installed on your mobile device, these security apps can use GPS and wireless hotspot locations to pinpoint the device’s location if it ever should go missing. “But if the app locates a phone that you think was stolen, rather than simply mislaid, it’s generally recommended that you not go look for it yourself,” said Mr. McCord.
Be ready to disable missing devices, and erase your data. You can access your missing device remotely from another computer, via your security app, and prevent a thief from viewing information stored on the device. For instance, the phone-finder apps can lock the device (rendering it unusable), tell the device to sound a loud alarm and “wipe” it of all data. “You can go to the police with the [location] information, but time may be of the essence, so the ability to remotely wipe the data from a missing device would certainly be your best defense,” said Mr. McCord. “Also, on some devices you can set it up so that the device locks after a thief makes a certain number of failed attempts to log in.”
Engraving devices can discourage theft. Thieves typically steal electronic devices in order to resell them, which is more difficult when devices are engraved with your name or that of your practice. Furthermore, if a device is lost, rather than stolen, the engraved details will help the finder return it to you.
Disposal of Old Devices?
In order to protect your patient data, and that of the practice, you need to be careful when disposing of old smartphones, laptops and other devices. “Destroy your data on the phone if you give your phone away,” said Dr. Shah. The same goes for desktop computers and office equipment. Some printers, copiers and fax machines, for instance, store digital copies of patient records that should be deleted before passing the machine to someone else.
For more information on disposal of old devices, visit www.eyenetmagazine.org/archives to read “Make Sure Your HIPAA Security Plan Covers the Disposal of Your Old Computers” (Practice Perfect, February 2006).
Tips for Using Devices Securely
Keep your operating system’s software up-to-date. Software updates usually contain patches that are crucial to the device’s security and that help counter evolving threats, said Mr. McCord.
Don’t store patient information (even e-mail addresses) on mobile devices. Electronic health record (EHR) systems should store patient information solely on the server computers, at the office or hospital, said Mr. McCord. This policy should be explicitly stated to all employees, and the message must be reinforced regularly.
Turn off unnecessary features that might let hackers in. If you aren’t using Bluetooth or browsing the Internet wirelessly, you should turn off those features on your device, said Vinay A. Shah, MD, who is a clinical assistant professor of ophthalmology at the University of Oklahoma and is on the vitreoretinal faculty at the Dean McGee Eye Institute.
Use a virtual private network to access data. The most secure architecture for remote access of EHRs is a virtual private network (VPN), said Mr. McCord. VPNs create a direct “tunnel” through which only the mobile device and the server computer communicate. All the data are encrypted during transmission.
“With my iPad, I can access my EHRs from home, which is very convenient,” said Dr. Melendez. “But I use a VPN that our practice’s IT team set up, which is very secure.”
Be leery of unsecured Wi-Fi hotspots. Without security features, wireless networks transmit exactly what you type. Other people on the network can hijack unencrypted information as your keystrokes are transmitted to the wireless network. If you do use Wi-Fi in a café or airport, do not access patient files and do not visit websites that require typing in a password or a credit card number.
Choose strong passwords. Passwords should be long (at least eight characters, preferably more), should contain at least three different character types (e.g., upper- and lowercase letters, numerals and nonalphanumeric characters, like # or $) and should not be similar to passwords that you are already using elsewhere on the Internet. You also should change your passwords frequently, said Dr. Melendez.
Watch out for Trojan horses. Don’t let malicious software, hidden inside a downloadable app, sneak into your mobile device. To reduce this risk, you should download only a few mobile apps, and only from trustworthy sources.
Hitchhiking malicious software (“malware”) is considered less likely with a BlackBerry, which has strong encryption and other security protocols, and with the iPhone. Apple takes the precaution of screening downloads for malware before making them available on the iTunes store.
Apps for smartphones with the Google Android operating system are not screened for malicious code, and there have been several instances of hidden malware in Android apps.1
Practice Devices vs. Personal Devices
It is important to have clear policies against handling patient information on personal devices—whether it is a smartphone, laptop or USB drive—especially if the data are unencrypted. If the device is stolen, any resulting loss of confidential patient data would be a HIPAA violation, said Mr. McCord.
But tech-savvy MDs sometimes can find such a policy difficult to heed, particularly for e-mail, said Dr. Shah. “Although many institutions have policies against the use of personal devices for sending clinical e-mails, the temptation to do so is great,” said Dr. Shah. “Most people use their phone in some form. It may be through your hospital system account or through your Gmail or Yahoo account.”
Mobile Devices as Clinical Tools
As mobile devices are increasingly employed as clinical tools, you should stay alert for ways in which you might impinge on patient privacy. For instance, Dr. Shah has often photographed patients’ eyes with his smartphone—but only after the patient signed an electronic media consent form. A form is included in Dr. Shah’s Eye Handbook app (see box, below).
But using a mobile phone as a clinical tool raises thorny policy questions for the FDA, said Dr. Shah. “It’s getting to the point that we need to ask whether the smartphone has become a medical device,” he said. “And if it is, at what point should the FDA be regulating all this? It’s unclear to me where you draw the line.”
1 Mills, E. More malware targeting Android. Posted July 11, 2011, at CNET’s InSecurity Complex blog. news.cnet.com/8301-27080_3-20078606-245/more-malware-tar geting-android/ Accessed Aug. 10, 2011.
GOT TIPS ON DATA SECURITY? If you have any suggestions, post them in the comments section of the online version of this article at www.eyenetmagazine.org. For general discussion of mobile computing or EHRs, you also can visit the Wired Ophthalmologist Group and the EHRs in Ophthalmology Group at www.aao.org/community.