ONC Plans Mobile Device Security Guidance For Smaller Practices

Posted on August 22, 2012 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

In an effort to help them avoid joining the long list of mobile device-based security failures, ONC has set plans to release guidance for small- and mid-sized providers on securing mobile devices. The agency, which has projects underway studying how mobile devices are used by smaller providers, expects to release its conclusions in the spring, reports HealtcareInfoSecurity.com.

If you read medical business trades, it’s hard to miss that slip-ups with mobile devices and mobile data sources (such as flash drives) have been a major source of security breaches.  In fact, it seems that 54 percent of the 464 HIPAA breaches affecting 500 or more individuals reported to HHS between September 2009 and July 2012 involved the loss or theft of unencryped mobile devices.

To see how smaller medical practices are doing in this area, ONC is conducting an effort dubbed the Endpoint Security Project, for which it has built a health IT implementation typical of mid-sized and small doctor practices, including tablets, laptops, smartphones, storage devices and desktops. When the project is done, ONC plans to release configuration settings which should help these smaller practices protect their mobile device data.

This is all well and good. After all, smallish practices seldom have an IT staffer to advise them on such things, and a simple set of best practices can go a long way.

Still, what strikes me is that time and again, it’s the larger providers whose data breaches are making the news.  That’s no surprise — big providers and hospitals simply have more data endpoints to control — but given this, ONC might make slapping larger organizations into shape more of a priority.

Of course, it’s also true that we don’t want small providers being the “weakest link” in HIEs, or compromising even a comparatively small amount of patient data in their practices. But if ONC’s assuming that big practices and hospitals can take care of themselves, they’re ignoring a truckload of evidence that it ain’t so.