The last time I visited to the doctor, he recorded everything on a tablet device. While it’s convenient, mobile security is always at the forefront of my mind. I was doing a bit of reading on mobile security and came across the Medicare and Medicaid (CMS) Electronic Healthcare Records (EHR) Incentive Program. This program gives healthcare providers a financial incentive for demonstrating the meaningful use of certified EHR technology or for adopting, implementing, or upgrading EHR technology. EHR technology allows providers to easily record and share patient data so that it’s consistent and readily available throughout the provider chain. This is certainly a great benefit to all healthcare providers as well as patients. No need to transfer records and records can be updated in real time through hand held devices, patient monitors, or diagnostic tools connected to the network.
However, broader access to electronic databases and the use of additional devices to access that data only adds to the already vulnerable IT environment within the healthcare industry. IT components within healthcare are already severely susceptible to hacking and advanced persistent threats. Medical device end points, such as monitors and diagnostic tools, could have severely outdated operating systems that don’t lend themselves to standard patching processes. Even personal healthcare devices, such as insulin pumps, have known vulnerabilities as demonstrated by Jerome Radcliffe when he hacked his own insulin pump. These weaknesses, coupled with the fact that medical practitioners regularly bring their own smartphones and tablets and are often unregulated at many facilities, leaves a provider network open and vulnerable.
The HIPAA Security Rule provides standards for the securing of electronic health information. These rules are in place to protect patient data through access control, audit controls, integrity controls, and transmission controls. While important, they rely on the provider to select and implement the necessary security solutions to prevent a data breach. And without proper security for personal and medical end point devices, it is only one finger in a dam that has many holes.
Stay tuned for Part 2 later this week where I discuss the factors to consider when looking at different security solutions.
UPDATE: Part 2 is live! Check out: How to Choose Security Solutions for Mobile Healthcare - Part 2