by: Perry W. Payne, Jr. MD/JD/MPP

In a recently published article, researchers from the National Center for Telehealth and Technology in Tacoma, Washington discussed the need for data security standards for mobile devices.

With the increasing number of wireless and mobile devices and wireless networks used in health care, the researchers proposed that standardized electronic data security is needed to increase the use of these devices without fear of HIPAA (Health Insurance Portability and Accountability Act of 1996) violations.

In particular, these devices create another area where patient data may be exposed to misuse.

In addition, mobile apps that can store patient data and transmit it over networks raise unique security threats to patients and data networks of health care organizations.

The lack of standardized data can act as a barrier to mobile device health care interventions.

In the article, the researchers discuss existing security needs, standards and limitations along with offering recommendations for addressing the existing challenges in this area.

Existing Standards

The review is published in Telemedicine journal and e-health, the official journal of the American Telemedicine Association.

In it, the researchers discuss the current data security standards relevant to mobile devices used for health care, and point to areas where standardization exists and areas where it is needed.

First, they focus on a relevant American Telemedicine Association guidance. They state that this guidance indicates what is required to be compliant with HIPAA and offers a good practice for synchronous care delivery from a distance. This guidance is called “Practical guidelines for videoconferencing-based telemental health,” implying the guidelines were originally specific to certain uses. These guidelines call for compliance with state and foreign privacy requirements along with other methods of securing data. This collection of approaches represents the need for standardization.

Second, the researchers point out that the need for standardized approaches for protecting health data led to the creation of an encryption standard currently used by government and the private sector. This standard is called Advanced Encryption Standard or AES.

Third, the researchers point out that VPN (Virtual Private Network) is an approach to securely access a private network from a remote location. This is one approach currently used by numerous organizations.

Fourth, the researchers indicate that there is no standardized approach to encrypting wireless data including health data. They indicate that encryption methods exists but they require users to set them up and there is not guarantee for the user of at the mobile device that they have been set up currently.

Fifth, the researchers indicate there is currently no guarantee that data stored and transmitted on mobile health apps meets HIPAA standards. Developers verify the security of the app and they are not necessarily focused on making sure the apps meet HIPAA standards. This is similar to someone using a website to learn more about a disease they have. The website may require that the person enter personal health information, but the site may not be HIPAA compliant because it may be created by an entity which is not covered by HIPAA.

Also apps may gather information from users, such as names, passwords, location (such as “at a hospital”), and demographic data (like gender, income, etc.) and send the information back to developers. This sharing of information creates more exposure of the person’s personal health information.

Goals for Security Standards

The researcher discussed a number of goals for data security standards for mobile devices used for health care. They stated that standards must:

  • support interoperability between different data systems. This includes new systems working with older systems
  • work with upgrades in communication standards
  • must also allow for efficient storage and transfer of multimedia content by encrypting all of the data to allow audio, video, and file sharing
  • must have this minimum level of encryption and preferably without the need for outside encryption or firewall devices
  • must also be transparent and seamless to the user, and consumers and healthcare providers must feel confident that their information is secure

Steps Towards Better Standards

The researchers mapped out the steps for meeting the security standard goals. First, technical methods need to be selected. The researchers reviewed different technical approaches for addressing these goals, such as taking data encryption and security features off of mobile devices and placing them on a web server which is used to access information.

Moreover, the researchers stated that there is a need for a standardized approach for authenticating data systems (i.e. logging in with a protected password).

Finally, the researchers indicated that numerous stakeholders are involved in making sure standards are implemented for data security of mobile devices. Only by each of these stakeholders clearly expressing their needs will mobile health device data be secured appropriately in order for the people to continue using the technology throughout the nation with less fear of security problems.