Large hospital systems and small medical offices alike are shifting over to electronic records en masse, with increasing adoption of portable platforms to use these systems. Many residency programs are now beginning to give tablets (such as the iPad) to their residents to encourage the use of electronic charting and prescribing during their training. As the use of tablets, laptops, and other portable devices grows, there is an increasing concern of unauthorized access into the devices.
At the recent Mobile Health Expo, this topic was the focus of Earl Reber, representing a company that specializes in security for networked medical devices. According to him, the average number of connected clinical devices per patient has tripled in the last 2 years alone. And, he says, the fact that healthcare has fallen behind in this area could pose dangers to patients as well as their confidential information.
The vulnerabilities are certainly not limited to mobile devices – rather, mobile devices represent yet another gateway that requires, and currently lacks, safeguarding. There are risks associated with any device, whether from physician carelessness or by security threats, such as viruses and breaches. Some of the more surprising highlights include platforms that still use DOS and high-end medical devices with terminals that include internet browsers. With the latter in particular, there is a particularly interesting problem in that healthcare IT divisions and clinical engineering divisions don’t exactly play nice.
Medical devices utilize many different operating systems, ranging from Windows to the rise of the Mac platform. While Windows has long been known to be susceptible to security risks, Reber, of eProtex, notes that there has been a surprising jump in attacks against Apple products of late, attributable to the rise in popularity of these devices in the healthcare setting.
For those in small practices in particular, this could represent a particular challenge when it comes to implementing mobile devices – they often lack the resources to appropriately manage data security and, yet, as healthcare providers are expected to comply with rather complex standards.
To help, the Centers for Medicare and Medicaid Services (CMS) has published a security guidance document (read here). Since physicians are ultimately responsible for protecting patient information and, as such, its important that we at least remain informed.