At the Mobile Devices Roundtable last Friday, a common theme emerged from the discussion that security policies haven’t quite caught up to technology. The gathering of public and industry leaders was sponsored by the Office of the National Coordinator (ONC) and the Office for Civil Rights (OCR), to foster conversation around securing and protecting health information while using mobile devices.
During the panel discussion “Real World Usages of Mobile Devices by Providers,” participants noted different ways they have implemented mobile technology in their practice settings. Christopher Tashjian, M.D., a family physician and chief of medicine for the River Falls Area Hospital (Wisconsin), said his top three considerations for integrating mobile applications into his practice were instant access to information, the ability to access patient records to provide better care, and the facilitation of communication to patients to reduce the cost of care.
Christopher Tashjian, M.D.
Tashjian said physicians at his organization that a year ago would text X-rays to specialists, but had to cease doing that to adhere to HIPAA policies. His organization is now trying to move forward with work-arounds, for example, by messaging an image of a fracture, but not including any patient identifiable data.
Jacob DeLaRosa, M.D., a cardiovascular surgeon at Idaho State University, and chief of cardiothoracic and endovascular surgical services at Portneuf Medical Center (Boise, Idaho), said he used a mobile device to view cardiology reports, coronary angiography reports, and CT scans. This allows him to give his medical opinion quickly over the phone, he said, instead of having to drive to hospital to view reports.
The Healthcare Information and Management Systems Society (HIMSS )is currently working on promoting a few key initiatives in the mobile health area, including a HIMSS Mobile Technology Survey that was released last fall. The survey found that the majority of respondents (84 percent) look up non-PHI health information, while 75 percent of respondents view patient information, and 28 percent of respondents are permitted to store patient information on their mobile devices, said Lisa Gallagher, senior director of privacy and security at HIMSS. The survey also found clinicians were most concerned about the speed of data access, privacy and security, and screen resolution when accessing information via mobile device. HIMSS is sponsoring a mHealth summit in December, and working on enhancing a mobile security toolkit with best practices, etc.
Care Transitions and ACOs
Panel participants were enthusiastic about the prospects of using mHealth for aiding care transitions, especially from acute settings to long-term care facilities, and facilitating the creation of accountable care organizations (ACOs). Steven Jeffery Heilman, M.D., CMIO, Norton Healthcare, said organizations that leveraged eVisits to administer preventative care to patients earlier to avoid costly hospital admissions later.
Tashjian said his organization has already signed total cost of contracts, and was using mobile technology to track congestive heart failure (CHF) patients. Meri Shaffer, R.N., cinical systems analyst, Montefiore Home Care (New York City) said her organization, too, was using home monitoring to keep CHF patients out of hospital.
BYOD vs. Enterprise
Panelists were on both sides of the fence when it came to deciding whether organizations should furnish mobile devices or allow clinicians to bring their own. Shaffer said that nurses in the home health industry expect to be issued a mobile device for their practice, which she finds a much cleaner way to deal with security issues. Heilman said years ago his IT department only supported PCs and Blackberry devices, but then outrage from users with Apple products forced the IT department to support them. Heilman noted that some users expressed suspicion about policies, such as wiping devices after too many incorrect log-ins, because they seemed too much like “Big Brother.”
Steven Jeffery Heilman, M.D.
Gallagher noted that organizations can save a tremendous amount of money using a BYOD approach, but they need get a handle on setting a usage policy and training end users accordingly. She noted that organizations can look in the HIMSS mHealth toolkit for sample user agreements by organizations that have been successful in this area.
Privacy and Security
DeLaRosa said that policies aren’t always in step with technologies in the industry, and many times there is a disconnect between policymakers and clinicians. He hoped the industry could come up with a set of standardized policies for organizations to then make their own. DeLaRosa’s organization uses multiple user prompts, which confirm that the clinician is accessing the correct patient file, before the clinician can access the patient’s information. Then, once the file is reviewed, it is audited with the ID of the clinician who accessed it.
Tashjian advocated that clinicians shouldn’t be completely responsible for security, and the onus should be left to the vendors. He said he didn’t think it was safe to store information on the mobile device, and it was a reason his organization chose an application service provider (ASP) EHR. His organization mandates users to sign a mobile agreement, have a passcode on their device, and perform a remote wiping if the device is lost or stolen.
Shaffer said her organization doesn’t trust the security of public Wi-Fi. It has policies to prohibit home care workers in the field from using public Wi-Fi to access patient records; however, she admits, it is difficult to monitor and enforce. Montfiore gives out Sprint wireless cards to employees, but even that is not always dependable to access wireless networks in particular remote or populated areas, she said. Security has to be at a software level to be truly reliable, she said.
“Where we really struggle is this mushrooming of opportunities that sits in front of us,” said Tashjian. “How do we choose the right one? How are we going to choose the ones that are actually going to help us, because we can’t afford to go down wrong road.”