Remote Access to PHI Subject of New ONC Initiative

The Office of the National Coordinator for Health IT (ONC) recently launched a Privacy & Security Mobile Device project. Today I received an email about it.

Privacy and Security Mobile Device Good Practices Project Launched

ONC’s Office of the Chief Privacy Officer (OCPO), in working with the HHS Office for Civil Rights (OCR), recently launched a Privacy & Security Mobile Device project.

The project goal is to develop an effective and practical way to bring awareness and understanding to those in the clinical sector to help them better secure and protect health information while using mobile devices (e.g., laptops, tablets, and smartphones). Building on the existing HHS HIPAA Security Rule – Remote Use Guidance, the project is designed to identify privacy and security good practices for mobile devices. Identified good practices and use cases will be communicated in plain, practical, and easy to understand language for health care providers, professionals, and other entities.

HHS will be looking for your input. Stay tuned for a public roundtable this Spring.

The proliferation of laptops, smartphones, and tablets and their use to access Protected Health Information (PHI) of patients has lots of people worried. Some of the largest breaches of data reported have been through the loss of laptop computers. In November 2010, ONC developed a document on Cybersecurity: 10 Best Practices for the Small Healthcare Environment relating to offices and networks. The problem is that during the last 18 months, smartphones and tablet computers like iPads and Kindles that can access the Internet have become ubiquitous.

The biggest problem with using these devices to remotely access PHI is that there are not yet security protocols and procedures in most organizations aimed at guaranteeing the privacy of the PHI accessed remotely.

Imagine for a moment: your physician is sitting in a coffee bar with a public wi-fi when s/he gets a call that you need an emergency refill of your blood pressure medication. The doctor uses a smartphone to login to the ePrescribing software used by the practice and sends the prescription to your pharmacy. Doctor finishes the cup of coffee, slips the phone into a jacket pocket and gets up to leave the shop. Unfortunately, the phone does not make it into the pocket and winds up on the chair as the doctor leaves.

You know the rest of the story. Someone finds the phone and messes around with it while deciding whether to try to find the owner. Since Finder can start everything on the phone (you see, there is no password), they can go right back to the last app used to see what the owner was doing. Since Doctor had the browser set to save passwords, Finder can log right into the ePrescribing software. . . .

Unfortunately, additional scenarios are also possible. That public wi-fi is known to everyone in the neighborhood and there are a couple of folks who sit around drinking their coffee capturing usernames and passwords from insecure sites. Who knows what they are capturing and accessing . . . maybe your username and password for your organization’s network!

The biggest concern with mobile devices is that they have proliferated so rapidly that organizations have not had the opportunity to develop protocols and adequately train staff members to have some semblance of a guarantee that PHI is secure. So ONC is doing what it can to shed some light on the subject and increase awareness.

In the meantime, this article has 5 security tips for your smartphone or tablet.

What is your organization’s policy about accessing protected health information remotely? Do you have policies?

Please share your comments below.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.