Smartphones and tablets are now an integral part of operations in many healthcare settings. Used intelligently, mobile devices can save time, improve clinical documentation, and reduce after hours EHR time.
But mobile devices also present serious challenges for data security. As the National Cybersecurity Center of Excellence recently announced, “the use of mobile devices to store, access, and transmit electronic healthcare records is outpacing the privacy and security protections on those devices.”
Fortunately, securing mobile health data is both possible and a growing priority for major providers and healthcare organizations. In 2018 the NCCoE and NIST released a Cybersecurity Practice Guide to help healthcare IT specialists share patient EHR data securely on mobile devices. The technology is available and best practices are being implemented more widely.
“The use of mobile devices to store, access, and transmit electronic healthcare records is outpacing the privacy and security protections on those devices.”
However, keeping patient data secure also requires action by individual clinicians and smaller medical practices that may not have dedicated IT staff. If you find yourself in this position, you likely have some questions. What basic mobile security practices can you implement? What mobile devices are most secure?
Follow basic mobile security practices
There are some simple things you should and shouldn’t do to protect patient data while using your mobile device.
Follow these 9 steps to make sure you are adequately protecting patient information when you access the EHR from your mobile device:
- Regularly update your operating system (OS) and apps. Just like computers, mobile devices need to be patched often to eliminate software or hardware vulnerabilities after initial release. Accept all OS and app updates immediately.
- Never connect to unsecured Wi-Fi. Unsecured networks include any Wi-Fi you can access without a password, such as at a Cafe or in an airport.
- Use discretion when downloading apps. Even if apps look legitimate, they may be infected with malware that could compromise patient data.
- Make sure connected devices are secure. You may plug your smartphone or tablet into a home computer or work laptop to charge it or sync data. If these computers aren’t secure, they could act as a portal for hackers to gain access to your mobile device.
- Lock your phone. Use a password, pin, or fingerprint when logging in to your mobile device.
- Use secure access when connecting remotely. Always connect to your EHR via a virtual private network (VPN) or through two-factor authentication.
- Use mobile vulnerability scanning. You can’t prevent threats you don’t know about. Mobile vulnerability scanning apps can help discover weaknesses.
- Establish mobile device policies. Whether your clinic owns the device or employees use their own, it is important to have security policies set up that address how smartphones and tablets are used.
- Train employees. Your employees should know about mobile device policies and potential threats like malware. Make sure to include mobile device security in staff training. If you’re an employee, ask your employer what you should know about using your mobile device securely in a clinical setting.
Apple vs. Android: Which is more secure?
While the NIST guide doesn’t endorse particular products, Apple is widely considered a more secure operating system than Android.
But let’s be clear – both operating systems can be adequately secured to safely connect to the EHR. The benefits of Android are that mobile devices running it tend to be cheaper, resulting in more users and more available mHealth apps.
When it comes to security, however, iPhone and iPad users have an easier time. Studies have shown that a far higher percentage of mobile malware targets Android than iOS. That’s due to Android’s huge global popularity and it’s open source approach. Apple, by contrast, tightly controls which apps are available on it’s app store. This vetting process keeps out nearly all malware.
A major reason for Apple’s better performance is that iOS users typically update their software shortly after new releases. Many threats to Android could be largely eliminated if all users upgraded their devices to the latest OS, but this isn’t what happens.
Long story short – for the casual smartphone or tablet user, Apple is a more secure environment. Healthcare providers should keep this in mind when choosing the best mobile health device for their clinical work.
Review security guides for providers and professionals
Do you want to learn more about mobile health and data security?
The ONC has resources to help health care professionals protect health information and secure their mobile devices. Review these guides so that you and your staff know the risks and take necessary steps to secure health information on your mobile devices.