Off-the-shelf smartphones meet few HIPAA, MU security requirements

By Neil Versel
Share
ONC's Dr. Farzad Mostashari

ONC's Dr. Farzad Mostashari

Most mobile phones on the market today meet no more than 40 percent of security requirements -- such as those called for by HIPAA or proposed "meaningful use" Stage 2 standards -- in the out-of-the-box configurations, according to the Office of the National Coordinator for Health Information Technology.

And even after being manually configured, only iPhone and BlackBerry smartphones typically achieve about 60 percent of standards. Other brands do not fare as well, Will Phelps, an IT security specialist in ONC's Office of the Chief Privacy Officer, said, according to a report in Government Health IT.

Phelps spoke last week at the Government Health IT conference in Washington. The publication is a wholly owned subsidiary of the Healthcare Information and Management Systems Society (HIMSS), which sponsored the event.

ONC is conducting research as it prepares guidance to help small and medium-sized provider organizations secure the growing number of mobile devices that process health data. "They may not have an IT staff or third-party vendor to manage their devices for them. So we want to get them to a point where their devices are operating as securely as possible," Phelps told the gathering, according to Government Health IT.

"You have to make sure that the devices are able to apply the appropriate security controls to make sure that the patient records are protected," he advised.

For the guidance, which ONC will publish online later this year in the form of a series of best practices, the office will describe how to handle security in various use cases, according to ONC Office of the Chief Privacy Officer attorney Kathryn Marchesini. Scenarios will include logging in from a coffee shop, sending e-mail from a mobile device and responding to the "bring-your-own-device" phenomenon, she reportedly said.

The office also will disseminate its best practices through the national network of federally funded regional extension centers set up to help smaller providers adopt and use health IT.

In developing guidance, ONC plans on testing security software from various vendors for compliance with security standards, according to the Government Health IT report. Expect to see future outreach to vendors and patients as well.