This morning I am in Washington DC at the Health and Human Services Mobile Device Roundtable. The event is being streamed.
Farzad Mostashari, National Coordinator for Health IT is kicking off the session.
Smartphones - a ubiquitous connected platform. A disruptive impact on the market.
Consumer technology is invading institutions - medicine - a conservative bastion where stakes are life and death.
The model has flipped. Consumer technology is now invading the enterprise. 20 years ago it was space technology developed in the Government and Enterprises has filtered in to the consumer space. Like it or not consumer technology is here and is being adopted.
Ubiquitous means we have it with us at all times - we can loose it at any time. This has security implications. Data should be in the cloud but must be secure. But security shouldn't be invasive - that will be a barrier to adoption.
The promise and perils of ubiquitous technology. The risks and opportunities.
Farzad hands over to Joy Pritts to moderate the first panel.
Panel 1: Setting the Federal Stage - Current Regulatory Framework, Guidance, standards and toolkits for Providers and other Health Care Delivery Professionals using Mobile Devices.
- Geraldine Matise - FCC
- Bakul Patel - FDA
- Cora Tang Han - FTC
- Susan McAndrew - OCR - Office of Civil Rights at HHS
- Tim Grance - NIST
FCC - Manage the world of devices and spectrum
The FTC doesn't require encryption. People must not intentionally interfere and intercept communications.
FDA - Promoting and Protecting public health
Manage benefits and risks of tools and drugs that treat, cure or manage the health of patients.
Medical Devices, also includes looking at privacy and security. Developing policies to advance the use of mobile devices for health.
FTC - Section 5 - dealing with false or misleading practices.
Protecting consumers from false representations. Privacy policies and privacy settings fall under this purview.
OCR - Mandated by HIPAA to protect privacy of Health Information when held by Providers and their business associates.
Enforcement role for privacy protections. Device losses require breach notifications to individuals and HHS when HIPAA related information is stored on the device.
NIST - Provides standards and guidance.
A non-regulatory body. Part of Department of Commerce. Focused around physics and science. In computer science including computer security.
Q: Why can't there be just one body?
FTC and FDA cooperate on medical devices.
FDA also cooperates with FTC.
NIST has several guidance documents on mobile security.
HIPAA doesn't dictate what an individual does with information on their personal phones or computers.
Panel 2: Real World Usages of Mobile Devices by Providers and Other Health Care Delivery Professionals
Moderator: Jon White - AHRQ
- Jacob DeLaRosa, MD - AHRQ
- Lisa Gallagher - HIMSS
- Steven Jeffery, MD Heilman - Norton Healthcare
- Meri Shaffer, RN - Montefiore Home Care
- Christopher Tashjian, MD - River Falls, Ellsworth and Spring Valley Medical Clinics
Policies around texting are difficult to enforce.
[CT] 100% of Patients want texting of results. They want things to be easy.
[CT] Apple has changed the game. There is no longer a generational gap in accessing computing power. Seniors are using their iPads.
[JD] Accessing CT Scans on mobile has been a game changer. Would like to see faster access and Facetime for personal touch with Physicians.
[CT] Have had to stop sharing xrays due to HIPAA. Need to design this capability right from the outset.
[MS] Medication reconciliation is a big challenge. Want an accurate medication list. Disparate systems are a big challenge.
[LG] Privacy and Security is a top concern but speed of access is the real concern. Screen resolution and fidelity are also close behind. Toolkit has sample mobile usage policy document.
[CT] Remember that paper systems are inherently less secure and more likely to be lost. [Ed:] just ask Regina Benjamin - she lost records twice due to hurricanes)
[LG] Wireless monitoring devices are becoming more popular.
[CT] Let technology do the work. They don't use PCs or laptops. They use iPhones and iPads. They can remotely wipe. Policy is that if a device is lost it is immediately wiped.
[JD] Providers: think about the content of the message. You shouldn't be sending "yes it's cancer" as a text. There is still value in 1 on 1 for important health changes.
[LG] People assume that providers are taking care with their data.
[JW] Assume the pipe you are working on is open/compromised. Use encryption to protect information.
[LG] Mobile technology is being deployed before policies are in place. Consumer technology is driving organizations.
[CT] communication is the key to reducing re-admissions and morbidity. Mobile is key to this.
Panel 3: Real World Mobile Device Privacy & Security Practices, Strategies and Technologies
Moderator: David Holtzman, JD - OCR
- Sharon Finn - Adventist Health System
- James French, MD - Mercy Medical Center
- Terrell Herzig - UAB Health System
- Adam Kehler - REC for PA East and West
- Micky Tripathi - MA eHealth Collaborative
[SF] Treat devices as a container - be agnostic. Deliver bunch of services to that device and protect the data.
[JF] Pagers are just not working any more. Smartphones offer many new opportunities.
[MT] Small practices in rural New England are using laptops more than smartphones.
[SF] Texting is okay for alerting but not for transmission of patient information. Also can't get the message in to the medical record.
[AK] differentiate between SMS Text and messaging platforms. Messaging platforms are often apps installed that can offer encryption and security.
[MT] Convenience is the enemy of security. Is a photo with no identifying personal information violating PHI?
[SF] if patient gives you permission that is the big differentiating factor. [Ed: Put the patient in control!!!]