How to secure your iPhone or iPad for medical use

Dr. John Halamka recently posted a very useful guide advising medical professionals on how to secure their iOS devices on his widely read blog “Life as Health Care CIO“.

The important points were:

1. Make sure you’re running the latest iOS version
2. Use the “Find My iPhone” service, in case the device is lost. This will require downloading the free app from the Apple App Store and setting up a new Mobile Me account
3. Use the iPad autolocks

He also provided specifics on the passcode feature, such using a long passcode and choosing “erase data” if there are numerous unsuccessful attempts to unlock the device.

Not surprisingly, he recommended that if an iPad (or iPhone) were stolen, you should immediately “remote wipe” the device using the Find my Iphone app on another iOS device or from

With these settings, he suggested:

if the iPad is stolen, was locked at the time, and the thief does not have unencrypted access to any other device that had previously synced with the iPad (a Mac/PC), the data can be considered “safe”.

There were also a few interesting other tidbits of security information. For example,

  • certificates to bypass passcode screen are saved on computer when iPad is sync’ed
  • the hardware encryption used to protect the filesystem are based on an encryption key known to Apple who routinely unlock devices for law enforcement with a court order
  • expect knowledgeable attackers to remove the SIM card immediately to prevent remote wiping

[source: John Halamka, Life as Health Care CIO, Feb 16, 11]


Felasfa Wodajo, MD

Click to view 7 Comments

7 Responses to How to secure your iPhone or iPad for medical use

  1. Eric February 24, 2011 at 11:16 am #

    Due to Apple’s policy concerning root access to all iPads and iPhones (they always have root, and without root you do not truly control or in some sense do not actually own the iThing), I think a valid argument can be made that any use of an iPad or iPhone in a medical context is explicitly a violation of HIPAA

    • drrjv February 24, 2011 at 3:05 pm #

      If you must, it is possible to access root level, by jailbreaking.

      I should add, that NO device is secure if physical access to the device is lost:

    • cronus_k98 February 24, 2011 at 3:40 pm #

      If you go by that definition the use of any cell phone either for data access or voice calling would be the same. The carrier always has access to your device whether it’s an Android, Black Berry, or a dumb phone. I think the answer is to not store sensitive data ON the device but to use it to access remote or web applications that are themselves secure.

    • Iltifat Husain February 24, 2011 at 9:05 pm #

      As one of the commenters pointed out – it’s all about using a cloud to access patient information. There are examples of HIPAA compliant apps in the App Store, the key is to not store sensitive patient information on an actual device.

    • Felasfa Wodajo February 25, 2011 at 5:17 pm #

      That seems rather theoretical. Have you discussed this with a health care attorney ?

  2. nukona March 2, 2011 at 4:09 am #

    The other option would be to have additional secure encryption on teh data stream and information,with keys and tokens never stored locally on the device. Then, with a few other things such as ability to control/allow/disallow local storage, the ability to distribute and control the apps, you would have the ability to effectively “Brick” the information on a lost or stolen device; which is effective even if SIM is taken out.

    • Felasfa Wodajo March 2, 2011 at 12:39 pm #

      interesting idea – meaning locally encrypted data so that a thief cannot view without password/key ?

Leave a Reply