Background: One of the key goals of the Federal Health Information Technology Strategic Plan is to inspire confidence and trust in health IT and electronic health information exchange by protecting the confidentiality, integrity, and availability of health information. ONC’s Office of the Chief Privacy Officer (OCPO), along with the HHS Office for Civil Rights (OCR), recently launched a privacy and security mobile device project. The project builds on the existing HHS HIPAA Security Rule - Remote Use Guidance and is designed to identify privacy and security good practices for mobile devices. The identified provider use case scenarios and good practices to address those scenarios will be communicated in plain, practical, and easy to understand language for use by health care providers, professionals, and other entities.
Roundtable Purpose: To gather public, industry, and subject matter expert input that will help inform the development of an effective and practical way to bring awareness and understanding to those in the clinical sector regarding securing and protecting health information while using mobile devices.
Roundtable Objectives:My overall my answer is, that mobile devices are not different than any other. Mobile Devices are just more likely to get lost or stolen (for pawn). It is this increased likelihood (of known risks) that needs to be considered. Thus good application design keeps sensitive information off of the device. Since this is a USA domain, it is quite easy to point at NIST who have excellent guidelines on this topic:
- Address the current privacy and security legal framework for mobile devices accessing, storing and/or transmitting health information;
- Discuss real world usage of mobile devices by providers and other health care delivery professionals to understand their expectations, attitudes, challenges and needs;
- Gather input regarding the information (and format) providers and other health care delivery professionals want and need to help them safeguard health information on their mobile devices; and
- Gather input on existing and emerging privacy and security good practices, strategies and technologies for safeguarding data on mobile devices.
- NIST Guidelines on Cell Phone and PDA Security SP800-124.pdf
- NIST Guide to Storage Encryption Technologies for End User Devices SP800-111.pdf
- NIST Recommended Security Controls for Federal Information Systems and Organizations SP800-53-rev3-db
What is not clear in the HHS/ONC initiative is if they are talking about general-purpose mobile devices or special purpose 'medical devices'. Not much changes, but some critical things do change. Such as control of the configuration. In the case of a medical device there is joint control, as the Breach Notification obligation is in the Covered Entity hands; but the safe-and-effective obligation is in the Medical Device vendors hands. This is the topic of Encryption is like Penicillin.