iPhone 3GS – IT HIPAA Headache or Cure?

by Dan Dearing on 20/07/09 at 7:00 pm

iPhone 3GS – IT HIPAA Headache or Cure?

Dan Dearing is the Vice President of Marketing & Product Management for Trust Digital and contributing editor for iPhoneCTO.

I recently spoke to an IT director of a large hospital system that relies on Blackberry for meeting the mobile email needs of their staff. Increasingly, he sees their doctors carrying two devices – a Blackberry that IT provides and an iPhone that the doctor purchased.

This is a classic case of the consumer/prosumer bringing their iPhone to work.

I asked the IT director why doctors were digging into their own pockets to pay for the iPhone and he said that two things were driving it. First, doctors were willing to buy the iPhone directly because it was a device the hospital system did not officially support and IT was worried about HIPAA compliance. Secondly, because it makes their job easier.

The iPhone serves as a great reference platform, supplying doctors with a superior web experience as well as almost 700 medical applications from the Apple App Store. The most popular include Epocrates Rx providing a handy drug reference guide, iChart for accessing electronic medical records and OsiriX to view radiologic images. With all that, they have the benefit of not having to lug around a laptop.

Until now, iPhones have not been supported by most hospitals because of data security and HIPAA compliance concerns. Most healthcare IT professionals know it’s only a matter of time before doctors figure out how to hook up their iPhone to the hospital email server and abandon their formerly beloved “Crackberries”. Without an enterprise mobility management platform in place to monitor mobile devices synching to the network, this creates a real headache for the IT department.

To help the CIO develop an effective strategy for safeguarding smartphones and PDAs, the Centers for Medicare and Medicaid Services (CMS) has published the “HIPAA Security Guidance for Remote Use of and Access to Electronic Protected Health Information (ePHI)”. This document helps healthcare IT determine the best way to support ePHI available to mobile healthcare users, but it does little to define the steps needed to get the job done. The iPhone 3GS will help meet some of the government’s recommendations, but more things have to be considered. Here is a simple roadmap to HIPAA compliance for the iPhone.

Step 1: Know Your Mobile Users
Understanding your users and their use cases is the first step toward HIPAA compliance. With a growing collection of App Store applications, the iPhone can potentially store a wide variety of ePHI including electronic patient records, hospital email, and homecare healthcare record. Documenting the flow of healthcare information to and from the iPhone is the upfront work that has to be completed before IT can develop a comprehensive security strategy for remote access of ePHI.

Step 2: Evolve Your Mobility Strategy
Many IT organizations fail to recognize that their Blackberry one-size-fits all strategy will no longer work for savvy healthcare workers who want anywhere access to the Internet. With multiple modes of communication, significant processing power and a large array of applications, the iPhone is becoming a necessity for healthcare workers. Device choice needs to be part of your mobility strategy.

Step 3: Put Safeguards in Place
To fully comply with the CMS guidance, healthcare IT must implement a wide security array including endpoint security, network access control and user compliance. The iPhone 3GS makes the grade for HIPAA compliance with features such as always-on data encryption, but you also need an enterprise mobility management solution that provides a centralized console with device management facilities and reporting tools. The ideal platform solution must include:

• A self-service portal to allow end-users to activate policies on personal devices
• A flexible device agent that enables IT to secure and manage a wide variety of device platforms including Windows Mobile, iPhone and Palm webOS
• Policy-controlled security that protects against hacker access and device loss
• A dedicated and centralized management console decoupled from your email server to simplify policy implementation and user support
• A compliance management and reporting facility to ensure users adhere to IT policy and provide compliance proof

Step 4: Enforce User Compliance
An organization’s HIPAA security policies are only effective if users comply with them so make sure that your mobile device security policies are persistent. Many iPhone users are technically savvy enough to skirt around IT policies, so IT needs compliance management facilities that use smartphone-aware Network Access Control (NAC) to make sure that users “tow the line”. These intelligent filters, deployed in the network DMZ, compel users to follow IT policies by making access to email contingent upon device compliance. In essence, the security posture of the iPhone is checked whenever it syncs email. IT can rest assured that sensitive data is only transmitted to iPhones that have been secured per the Federal government’s guidelines.

With the four steps in place the healthcare CIO/IT team is able to have confidence that his network data is secure and so is the variety of patient information stored on mobile devices. And doctors can rely on the one device that fulfills their requirements, the iPhone.

Similar Posts:

  • andrewdaniels
    Hi,
    I have been using Skyscape application for a long time now. They provide some excellent references for Physicians, Doctors, Nurses and Medical Students. Click here to view some of the useful medical applications : http://bit.ly/IGWY7
  • pspaude
    Great article.
    Does anyone know if there is a vendor agnostic end to end solution that works for smartphones.
    Not just the iphone, but most smartphones. Being a healthcare facility, I am looking for a good solution we can use before the natives get to restless.
  • troublelikecalvin
    I have friends in health care in the US and UK who deal with their respective compliance issues. I happen to work in the financial sector in the UK (with offices in America), and the compliance issues are equally problematic on both sides of the Atlantic and across both sectors. I'm sure there are many verticals with the same problems.

    This is a timely issue for us. We're forced to extend security and compliance policies to our mobile workforce, and that workforce is increasingly utilizing smartphones to access our IT infrastructure and capabilities. Blackberry might be an appropriate solution, but we simply can't constrain our users. We have executives demanding their favored device. We have vendors and carriers offering interesting incentives for Blackberry alternatives. We certainly see a bevy of interesting applications coming down the line from the likes of Apple. In short we have to accommodate this new reality. I repeat - this new reality.

    I have been a little disappointed by the lack of vendor offerings in this space. This is especially true of Apple and Palm who have been quite busy trying to convince me they have what I need when they quite clearly do not. (I will abstain from color commentary on Microsoft). For all their warts RIM understood quite well.
  • Frank Castle
    Seems like a lot of work vs. slap in a BES, apply your policy - meet compliance.

    3GS "encryption" is not controlled by the backend and is tied to iTunes and NOT enforcable. Users are free to disable if they wish and Apple has still not outlined how it functions and what EXACTLY is encrypted. Doesn't help you much with older devices so your TCO shoots up having to upgrade all users hardware. BES policies trickle down to the 7290 if needed.

    Personally I think personal liable is just a big risk that any large enterprise should avoid. You are still required to obtain the device if needed for discovery, have to deal with the headache of personal data mixed with corporate data etc, where you support starts and ends etc. Just a mess. Most companies keep it simple and provide the tools an employee needs. Mobility is no different. I don't need to get into an arguement with Stacy from marketing why she isn't allowed to install certains apps or why we capture SMS, web sites etc.

    Love to hear how EMM gets around the SSH commands that wipe out the EAS policy not to mention preventing jailbreak. iPhone no matter how much you bandaid it is unsecure.

    The rub is any company that put in a enterprise solution for iPhone would feel the wrath of iPhone users anyways as you will to some degree are limiting their device functionality. Thus its easier to just not support the platform. Apple is consumer focused so leave it at that.
  • dandearing
    Frank, you have inspired me to write a response almost as long as my original posting. Thanks for the counterpoint feedback...

    “Seems like a lot of work vs. slap in a BES, apply your policy - meet compliance.” True, that would be the case if users could not buy their own iPhones or any other activesync device and skirt around IT policies. Many organizations risk non-compliance because users opt for their own personal device used at work verses the Blackberry stuffed in their desktop drawer. One IT director of a large HMO recently told us, “I am tired of saying NO to users.” So, IT can offer the user the device of their choice, and for some that will be a Blackberry, while also meeting their compliance mandate.

    Per the iPhone 3GS and encryption. To be clear, the hardware based DAR encryption capability of the 3GS is for the whole device and should not be confused with new encrypted back up capability of iPhone OS 3.0 and iTunes 8.2.The encryption capability that most folks are concerned with is DAR encryption on the phone. EMM Compliance Enforcement ensures that passcode policies are used with 3GS encryption so that a complete policy is in place to protect the device when lost. So if the user changes policy settings (or even devices), they are denied access to the IT services and IT admins are notified that the device is out of compliance. This is achieved by doing a compliance check every time the device syncs – so its not a set the policy and forget about it approach.

    Regardless if it’s a Blackberry or an iPhone, smartphones are converging work and play into a single device. EMM is there to provide users with the device that best suits their need and also give IT the tools they need to support that driver and meet their corporate charter. “The rub is any company that put in a enterprise solution for iPhone would feel the wrath of iPhone users anyways as you will to some degree are limiting their device functionality.” Do BES admins “feel the wrath” of Blackberry users for doing their job? I think most users would be grateful to be able to user their non-Blackberry device at work. Just check out this study…Apple's iPhone would be the smartphone of choice for four out of 10 BlackBerry and other smartphone users, according to a new survey by the research company Crowd Science. Crowd Science also finds that 14 percent of smartphone users would switch to a BlackBerry as their next device, while 82 percent of iPhone users would choose to stick with the iPhone brand. Read more at http://tinyurl.com/nz2l2o.
  • Frank Castle
    Dan -

    I'm familiar with the report as well a number of them that have been done on personal liable vs. corporate owned. It's just not something many companies will want to deal with right now. As mobility continues to grow it is definately something companies will have to get their arms around as soccor moms are now walking around with mobile devices and want to feel "productive" while having a useful device.

    For any company owned asset be it iPhone / Blackberry etc there needs direct policy on what is allowed or not, many large companies do not allow users to install whatever they want on a company laptop and smartphones (paid for by the company) are no different. That is where the personal / business line is blurring as devices are capable of both. To me having lived in this vertical for 8+ years I keep my personal usage to my own device and business to what is provided. Why would I want my SMS audited? Not able to load whatever I want from my provider app store?

    Being a mobile professional it is not my job to form policy. You need strong backing from your Risk / Compliance officer and crystal clear language in your company policy manual. Some companies have zero tolerance for users that circumvent/ignore these controls and I think that is extreme and try and allow some personal usage but know any given day our legal, compliance, HR dept may change that.

    If this economy every gives me back some budget I'd love to check out your product as it's definately needed for other devices and MDM is a mess to install and admin.
  • stevehowe
    Interesting post thanks, it came in excellent timing to my blog post regarding Apple in the Medical and Veterinary sector...

    http://www.steve-howe.co.uk/blog/2009/7/21/appl...

    Truly though many of these misconceptions run throughout medical and enterprise environments far to often!
  • "... he sees their doctors carrying two devices – a Blackberry that IT provides and an iPhone that the doctor purchased."

    Like the grass and Twitter, the iPhone is hard to keep down. That opening paragraph reminded me of this post from April:

    God Bless the Grass (and Twitter)
    http://faseidl.com/public/blog/231048
blog comments powered by Disqus