ONC takes hands-on approach to testing mobile device security


Industry research indicates that more than 80 percent of physicians use smartphones or tablet devices – yet very few safeguard them against unauthorized access to stored information. The Office of the National Coordinator for Health IT (ONC) wants to help by teaching providers how to shore up mobile device security.

ONC has conducted research on mobile endpoint security by taking devices out of the box from local electronics stores and applying manual configuration for better controls to support security, said Will Phelps, an IT security specialist in ONC’s Office of the Chief Privacy Officer.

“You [must be] able to apply the appropriate security controls to make sure that the patient records are protected. We want to reach out to the provider community to make sure that they are able to do these things,” he said at the June 11 Government Health IT conference sponsored by HIMSS.

ONC studies of out-of-the-box security configuration found that most mobile phones did not meet more than 40 percent of security requirements, such as the ability to encrypt information, Phelps said.

After manual configuration, test results improved significantly, especially for the iPhone and Blackberry models, which met 60 percent of the security requirements. Other phones did not fare as well after manual configuration.

Initially, ONC will focus on small and medium-sized providers. “They may not have an IT staff or third-party vendor to manage their devices for them. So we want to get them to a point where their devices are operating as securely as possible,” Phelps said, adding that the security configurations are available on the devices right out of the box but must be manually configured.

ONC will describe scenarios or use cases around which to offer practical information for mobile device security, said Kathryn Marchesini, an attorney in ONC’s Office of the Chief Privacy Officer.

These will include remote use from a coffee shop, sending e-mail, or what to do if providers bring their own devices, which may not necessarily be credentialed in the organization, and whether they should be allowed to connect to the system’s network.

Some providers may not realize they need a policy around the use of mobile devices, or that they need to take an inventory of mobile devices. “It may seem basic, but we hear every day that practicing providers are struggling with these issues,” Marchesini said.

The Health Insurance Portability and Accountability Act provides security guidance around remote use. The proposed rule for meaningful use stage 2 also calls for encryption of data at rest.

In its next phase, ONC will test third-party vendor security tools applied to devices to see how well they score on information protection. Overall, ONC plans to design outreach for vendors, providers and patients for security awareness around mobile devices and training to follow.

ONC is also incorporating in its mobile security outreach the regional health IT extension centers, which offer technical assistance in providers’ offices "to make sure we identify real scenarios and practical solutions," Marchesini said.

ONC said it plans to release its best practices for securing mobile devices in the fall.

Add new comment