Restrictive Fed Guidelines Could Keep The iPad Out Of Doctor’s Hands

Restrictive Fed Guidelines Could Keep The iPad Out Of Doctor’s Hands

Will a new era of healthcare privacy enforcement keep the iPad out of healthcare?

The costs of not complying with HIPAA (the 1996 Health Insurance Portability and Accountability Act), which includes self-reporting of data breaches, can be steep. Blue Cross Blue Shield of Tennessee recently finalized a settlement with the Department of Health and Human Services for $1.5 million for a recent breach (on top of a $17 million price tag for the investigation and remediation actions). HHS seems to be making a a show of high profile enforcement as a way to encourage better compliance among smaller organizations, including hospitals and individual medical practices.

This raises the question of whether or not using the iPad in healthcare increases the risk of privacy violations. If so, will a show of force on the part of HHS dampen the enthusiasm for the iPad in healthcare?

The Blue Cross case isn’t related to mobile devices at all. It’s related to 57 unencrypted hard drives containing voice recordings that the company left in a data closet when it moved out of a leased facility. In addition to being a HIPAA violation, the case is also one of the first to fall under a 2009 law known as Health Information Technology for Economic and Clinical Health Act (HITECH) that tightens the electronic records aspects of HIPAA.

The high profile nature of the case and the fact that it’s one of the first large cases involving violations that fall under HITECH provisions has healthcare industry observers and experts believing that it’s a warning shot to the entire industry when it comes to compliance and enforcement of privacy regulations. Whether or not that’s a goal of HHS, the impact is certainly there. In its wake, law firms that work with health related business have issued alerts to their clients reminding them of the financial and legal consequences of noncompliance. Wilson Sonsini Goodrich & Rosati, a firm with offices throughout the U.S. and abroad even pointed out that organizations that normally don’t fall under the health insurance or provider rubric can fall under HIPAA.

What this means for the fate of the iPad in healthcare isn’t immediately clear. HIPAA compliance is one of the challenges that the iPad faces in this industry, but those same challenges are faced by laptops and other portable devices. In many situations, medical groups and hospitals turn to virtual desktop solutions as an answer. The encrypted connection to a server hosting a desktop or application ensures no data ever resides on the device. This is one reason that Citrix is a popular tech company in healthcare. The platform-agnostic approach of virtual desktop infrastructure (VDI) means that Citrix supports the iPad along with other devices. Citrix also offers XenApp, which creates dashboard-style interfaces that make applications available without providing a complete Windows desktop – a good option for mobile devices.

Even outside of VDI solutions, the goal is almost universal when supporting the iPad in medicine: don’t allow data to be stored on the device. If patient records are never on the device itself, then a lost or stolen device has nothing doesn’t immediately create a major security concern, particularly if two factor authentication is employed.

Ultimately, healthcare IT professionals have been aware of the potential security and privacy issues with the iPad (any mobile device really) for quite a while. It’s one reason some medical groups are hesitant to support the iPad. The new rulings may add weight to arguments against the iPad, and it probably will make some organizations rethink their mobile strategy (and even their overall data management practices). Enthusiasm from doctors, nurses, and other healthcare workers probably won’t be killed by this latest news, however. In the end, the rulings may simply give hesitant IT organizations a reason to support and entrench their positions while organizations embracing the iPad will continue to do so, but with a bit more security awareness.

Related
  • TheMadTurtle

    In my opinion, if anything, due to the smaller SSD hard disk size of the iPad and the increased usage of cloud software on iPads, iPads in healthcare are probably more safe than laptops. Additionally, most businesses leverage something like Citrix to deploy applications. An iPad outside of the business network would not have access to any of these applications without authentication via VPN or something similar. That goes for iPads as well as laptops and mobile phones. There’s nothing substantially different with iPads to warrant saying they are “less secure”. Just my two cents’….

  • AwesomeDuck

    I don’t see how an iPad is less secure than a Windows PC. Look at the malware numbers. I wonder if this is not a result of Microsoft lobbying efforts.
    Regardless of iCloud, networks and cloud storage are still being used by just about every hospital, insurance company, etc. The days of building your own data center are numbered.

  • CALL_151

    As a physician and amateur App developer, I’ve spent a fair amount of time trying to understand iPad security for “data at rest” and “data in motion”. The iPad has hardware-based AES-256 encryption. making it at least as secure as a Mac with Filevault2 enabled. BUT, there are two requirements- 1) The app must explicitly enable this encryption, and 2) The user must set a passcode and require it to unlock the device. Under these circumstances, data stored on the device should meet HIPAA/HITECH requirements.

About the author

Ryan FaasRyan Faas is a technology journalist and consultant living in upstate New York who has written extensively about Apple, business and enterprise IT, and the mobile industry. In addition to writing for Cult of Mac, he is a contributor to Computerworld, InformIT, and Peachpit Press. In a previous existence he was a healthcare IT director as well as a systems and network administrator. Follow Ryan on Twitter and Google +

(sorry, you need Javascript to see this e-mail address)| Read more posts by .

Posted in News | Tagged: , , , , , , , , , , , , , , |