Physician use of tablets, such as the iPad, is undoubtedly on the rise. According to a recent QuantiaMD study, roughly 30 percent of physicians use a tablet, compared with 5 percent of the general U.S. consumer population. Nineteen percent of physicians also use tablets in a clinical setting.
Physicians are early adopters of this still-new and growing technology, but increased usage leads to increased and unforeseen challenges. Kerry Shackelford, healthcare practice leader at Coalfire Systems, an IT audit and compliance firm, says many tablets that are used in clinical settings simply don't have the level of security that is needed, especially if the tablet is not issued by the hospital. Mr. Shackelford shares five security features that should be equipped on any hospital or physician tablet.
1. Individualized authentication. As a basic Health Insurance Portability and Accountability Act security rule standard, if a device is going to have access to a patient's protected health information, it has to have some basic features, such as individualized authentication, Mr. Shackelford says. The tablet must require the user to identify themselves uniquely, typically through entry of a valid user ID and password so it knows it is communicating with its specific user.
This basic level of user authentication security is so crucial due to the widespread amount of data breaches that have occurred across the country. Mr. Shackelford says under the Health Information Technology for Economic and Clinical Health Act, all breaches of PHI must be reported to the individual, and if 500 or more people are affected, it must also be reported to the Department of Health and Human Services as well as the media. Restricting the device to an individualized, authenticated user is the most basic of features to avoid data breaches, he says.
2. Encryption of data. The number one breach as reported by HHS is the lost laptop or device containing unencrypted electronic PHI. "You are not required to encrypt data at rest [under HIPAA], but it's hard to justify not doing it under HIPAA's requirement to perform a thorough risk analysis," Mr. Shackelford says.
He adds that hospitals really shouldn't consider it optional to encrypt data on their tablets because a portable device with PHI is simply too big of a target. "Data in place on a server is at lower risk than data on a handheld device that could be easily lost," he says.
3. Antivirus and operating system protections. All tablets simply must have antivirus programs to guard against malware, spyware and other malicious software. Similarly, Mr. Shackelford warns against hospital IT staff "jail breaking" tablet devices. Jail breaking is when someone tampers with the operating system, exposing the system to vulnerabilities and, potentially, the ability to install and run non-licensed or vulnerable applications.
4. Removal of unnecessary functions and applications. A tablet's ability to download different applications, or apps, is an area of risk, Mr. Shackelford says. Free or inexpensive apps downloaded from the Internet may be malicious and may not operate as advertised. "There could be malicious applications on a device, and with medical records access, you can't always trust the [app] you downloaded," he says. "Limiting the functions and apps on the device to reduce the risk of introducing apps that may not be trustworthy is a general hardening rule."
5. Wireless network firewalls. Placing firewalls between wireless networks and the different parts of a hospital's or practice's internal network could cut off the point of entry for outsiders. Wireless network users typically need network keys to connect, but firewalls are added insurance against outside hackers using a compromised wireless environment to get inside the wired network. "If the wireless [tablet] were to be compromised, a firewall is going to restrict the infection from getting any further," Mr. Shackelford says.
Almost One-Third of Physicians Embrace iPad Technology
Study: Physician Use of Tablets on the Rise
Physicians are early adopters of this still-new and growing technology, but increased usage leads to increased and unforeseen challenges. Kerry Shackelford, healthcare practice leader at Coalfire Systems, an IT audit and compliance firm, says many tablets that are used in clinical settings simply don't have the level of security that is needed, especially if the tablet is not issued by the hospital. Mr. Shackelford shares five security features that should be equipped on any hospital or physician tablet.
1. Individualized authentication. As a basic Health Insurance Portability and Accountability Act security rule standard, if a device is going to have access to a patient's protected health information, it has to have some basic features, such as individualized authentication, Mr. Shackelford says. The tablet must require the user to identify themselves uniquely, typically through entry of a valid user ID and password so it knows it is communicating with its specific user.
This basic level of user authentication security is so crucial due to the widespread amount of data breaches that have occurred across the country. Mr. Shackelford says under the Health Information Technology for Economic and Clinical Health Act, all breaches of PHI must be reported to the individual, and if 500 or more people are affected, it must also be reported to the Department of Health and Human Services as well as the media. Restricting the device to an individualized, authenticated user is the most basic of features to avoid data breaches, he says.
2. Encryption of data. The number one breach as reported by HHS is the lost laptop or device containing unencrypted electronic PHI. "You are not required to encrypt data at rest [under HIPAA], but it's hard to justify not doing it under HIPAA's requirement to perform a thorough risk analysis," Mr. Shackelford says.
He adds that hospitals really shouldn't consider it optional to encrypt data on their tablets because a portable device with PHI is simply too big of a target. "Data in place on a server is at lower risk than data on a handheld device that could be easily lost," he says.
3. Antivirus and operating system protections. All tablets simply must have antivirus programs to guard against malware, spyware and other malicious software. Similarly, Mr. Shackelford warns against hospital IT staff "jail breaking" tablet devices. Jail breaking is when someone tampers with the operating system, exposing the system to vulnerabilities and, potentially, the ability to install and run non-licensed or vulnerable applications.
4. Removal of unnecessary functions and applications. A tablet's ability to download different applications, or apps, is an area of risk, Mr. Shackelford says. Free or inexpensive apps downloaded from the Internet may be malicious and may not operate as advertised. "There could be malicious applications on a device, and with medical records access, you can't always trust the [app] you downloaded," he says. "Limiting the functions and apps on the device to reduce the risk of introducing apps that may not be trustworthy is a general hardening rule."
5. Wireless network firewalls. Placing firewalls between wireless networks and the different parts of a hospital's or practice's internal network could cut off the point of entry for outsiders. Wireless network users typically need network keys to connect, but firewalls are added insurance against outside hackers using a compromised wireless environment to get inside the wired network. "If the wireless [tablet] were to be compromised, a firewall is going to restrict the infection from getting any further," Mr. Shackelford says.
Related Articles on Medical Tablets:
New Health IT Ideas Aim to Solve Communication ProblemsAlmost One-Third of Physicians Embrace iPad Technology
Study: Physician Use of Tablets on the Rise