- 96% of healthcare organizations have experienced at least one data breach in the past two years.
- Only 23% of health care organizations use mobile device encryption.
- Nearly half of healthcare organizations do nothing to protect data on mobile devices.
Now consider that the number of physicians using smartphones has escalated rapidly in recent years. Coincidence? Leading experts think not.
Recent reports by Manhattan Research have found more than 81% of physicians use a smartphone, up from 72% in 2010. And according to research released in December by Ponemon Institute, data breaches have risen 32% in the past year.
The report didn’t specify the percentage of breaches from mobile devices, but it did conclude that “Widespread use of mobile devices is putting patient data at risk.”
Mobile devices create a security risk in two ways. Data can reside on the device and can be accessed. And smartphones’ size makes them easier to lose than a laptop. Also, the device can be a way of gaining access to data that reside on electronic medical record systems at the health care organizations. Either way, someone who steals a physician’s smartphone or finds a lost one can gain valuable data if that phone isn’t secured.
Mobile device security is a primary concern throughout the healthcare field.
Analysts say mobile devices are like other new information technology in health care: A technology is introduced, and the rate of adoption outpaces efforts to ensure its security.
Many hospitals are aiming to bridge that gap by improving security so any mobile device a physician uses may access their EMRs safely.
Adjusting to physicians’ mobile use
Many hospitals have struggled initially with meeting the demand of physicians who wanted to use their personal mobile devices—not those given out by hospitals—to access their hospital’s EMR system.
Some organizations are now making it very plain: if their systems can’t be used securely by a certain mobile device, then no access is granted. Early versions of some smartphones aren’t capable of being encrypted and secured properly, so physicians are not being allowed to use them to connect with the hospital’s data centers.
Or, in exchange for hospital system access, physicians’ personal devices can be subjected to the same security processes as any other hospital information technology. So if a phone is reported lost, it will be remotely wiped of its data. Physicians must sign an agreement to that policy before they are granted access.
What physicians can do
Physicians can help by making sure their phones are encrypted. Software is readily available that will encrypt smartphones and mobile devices. Encryption offers a safe harbor under privacy and security regulations under the Health Insurance Portability and Accountability Act for organizations and practices that have a lost device.
Experts also recommend that physician practices set policies on mobile use, with attention paid to security measures, such as antivirus software and password protection.
Any questions? Contact Morgan Hunter HealthSearch, and we’d be happy to share our expertise.