As smartphones become faster and increasingly capable of running sophisticated applications and services, health care organizations are faced with a dilemma. Do they allow doctors, nurses and staff to participate in bring-your-own-device policies and potentially unlock productivity gains that enable higher-quality care? Or do they hold back out of legitimate concerns about data security and compliance with regulations?
The growing interest of technology firms in health care tracking only complicates the situation. Individuals may now use devices such as wristbands, in addition to smartphones, to record and share health information, making it critical for providers to keep tabs on BYOD activity to ensure compliance.
HealthKit and the larger issue of sharing health information
At this year's Worldwide Developers Conference, Apple announced HealthKit, a platform built into iOS that underscores how healthcare on mobile devices is rapidly evolving and sparking questions about how sensitive data is handled. HealthKit isn't a discrete solution but a system of APIs that would allow, say, an application that tracks steps to share its information with medical software that could provide actionable advice.
Major health care organizations are already on board. The Mayo Clinic created an application that monitors vital signs and then relays anomalous readings to a physician. Given the already considerable presence of mobile applications in health care, HealthKit could give hospital and clinic staff additional tools for providing efficient care.
At the same time, HealthKit turns any iOS device into a potential compliance painpoint. Data that is stored on an iPhone, for example, would not fall under the purview of the Health Insurance Portability and Accountability Act, but if shared with a provider or one of their business associates, HIPAA would likely apply. Stakeholders will need time to adjust to the nuances of how healthcare applications interact with each other in the HealthKit ecosystem.
"The question would be whether the app is being used by a doctor or other health care provider. For example, is it on their tablet or smartphone?," asked Adam Greene of Davis Wright Tremaine LLP, according Network World. "Where the app is used by a patient, even to share information with a doctor, it generally will not fall under HIPAA. Where the app is used on behalf of a healthcare provider or health plan, it generally would fall under HIPAA."
Tracking and securing privileged health information
HealthKit is just one platform on a single OS, but it is part of a broader shift in data control, away from centralized IT departments and organizations and toward end users. For healthcare, this change is particularly challenging since providers have to ensure that the same compliance measures are enforced, even as BYOD and cloud storage services become fixtures of everyday operation.
A recent Ponemon Institute survey of more than 1,500 IT security practitioners found that almost 60 percent of respondents were most concerned about where sensitive data was located. BYOD complicates compliance, and healthcare organizations will have to ensure that they have well defined policies in place for governing security responsibilities.
"People trained in security also view IT as accountable for the security domain," Larry Ponemon, chair of the Ponemon Institute, stated in a Q&A session on Informatica's website. "But in today's world of cloud and BYOD, it's really a shared responsibility with IT serving as an advisor, but not necessarily having sole accountability and responsibility for many of these information assets."
It's no longer enough to rely on IT alone to enforce measures. Security teams and IT must work together and implement BYOD security as well as network monitoring to ensure that only authorized devices can connect to the system, and that data is safely shared.