Readers’ Poll: What Industry Vertical Do You Work In?

A little while back, we began a series of “get to know you” polls in an effort to better shape our content. In a June poll, we asked about your positions within your organizations, with results showing an even split between IT and marketing, with sales also being a popular answer. We found the results quite interesting, and they led us to wonder – in what industry vertical do you work that makes remote access and network security of interest? As always, feel free to elaborate in the comments.

Revisiting mHealth with Dr. Ruchi Dass, Part 2

Today, we finish our conversation with Dr. Ruchi Dass on mobile health trends. We left off last week talking about the security issues surrounding mHealth. Below, Dr. Dass tells us more about mitigating security risks and what still needs to happen for mHealth to be fully optimized.

Dr. Ruchi Dass: To mitigate the risks authentication systems raise, it is essential that they be designed to offer individuals control over their personal information by supporting traditional principles of fair information practices.

While these principles have long formed the basis of federal and state law, industry rules of best practice, and international agreements related to information privacy protection, their application to authentication systems must be carefully considered and articulated so as to take into account the complex and unique questions raised by the technology. In fact, because fair information practices are often ignored in the current use of authentication, the move to new authentication systems offers implementers the ability to offer stronger privacy protections if privacy issues are addressed in the design of the technology.

On the technology front, these risks may be mitigated through deployment of diverse authentication products, by decentralizing their design and limiting the amount of personal information collected. It discusses the importance of applying fair information practices to the management of authentication data. Also, computer and mobile solutions should be designed and implemented using an enterprise-wide architectural methodology. An architectural methodology helps IT by providing a framework to consider all of the major issues, highlight the interdependencies and facilitate decision making between conflicting tradeoffs.

VPN Haus: What are the major barriers that need to be overcome before mHealth can be fully optimized and deployed on a wider scale?

Dr. Dass: When we think to e-connect patients with their providers, share their medical and other data and provide care i.e. anytime, anywhere; we get surrounded with questions of adoption, value, privacy & security, interoperability and standardisation. A lot of challenges remain because on one side, health care professionals are trying to make the world more healthful and connected through the use of technology, challenges are often a result of illogical or short-sighted business choices, not the technology challenges themselves.

When our approach will be sufficiently future focussed, interoperability and security implementations wouldn’t be cost consuming anymore. Cost to access vital data will drop, HIE will be easy, security concerns will be a few and we would be able to leverage technology more to solve some of the daily problems related to health systems, operations and delivery.

Ruchi Dass is CEO of HealthCursor Consulting based in India. 

Making Mobile Health Possible, Part 2

Earlier this week, we explored the innumerable medical breakthroughs that could stem from mobile health innovations. Today, let’s consider the security considerations to enable this.

Security Must Be Paramount

Yet, considering how sensitive and valuable medical information is, proper precautions must be taken to secure this data before mobile health can become mainstream. For instance, if hackers or disloyal employees scan or manipulate health data that is sent via mobile applications, the consequences can range from embarrassment to, frankly, death. It’s easy to understand why ensuring these connections are secure is absolutely critical.

Mobile health, however, requires special VPN functionality. For instance, it requires both extremely high security and flexibility. After all, a healthcare application might use a potentially insecure public Wi-Fi network to communicate with the IT system of a hospital or a medical office. In order to maintain security in such a scenario, the VPN client must be able to automatically adapt to these security settings.

The same requirements apply to smartphones and tablets used by nurses in elderly or outpatient care. Such solutions relay patient information—from homes or hospitals—onto the central database, typically via a VPN connection. And so again, the VPN connection must be able to flexibly adapt to various network connections, given some of amount of unpredictability of the locations. Also, considering that many healthcare workers are not trained in technology, the VPNs must be easy to use, so convenience is not traded for security.

There’s no doubt mobile health offers innumerable opportunities to lower the cost of healthcare and infinitely improve efficiencies and convenience. The question is, can we ensure that this is done securely?

New Survey Finds that Healthcare IT Pros Most Concerned About Electronic Data Breach

Healthcare IT News recently asked its readers about the healthcare data breaches that worries them the most. Not surprisingly, the vast majority (80 percent) of respondents said electronic data breach/hack, while only 13% worried about hardware theft, followed by 7% concerned about the theft or loss of paper records. This trend is warranted. For instance, a recent article in the Fort Worth Star Telegram highlighted the growing trend of doctors using smartphones, tablets to access medical data. According to the story, hospitals in North America spent $7.4 billion on electronic records in 2010 – and the 2009 stimulus act has earmarked $50 billion to help government and private healthcare providers offer EHRs over the next five years.

So what does this look like? Here’s an anecdote from the piece:

If a patient of Arlington physician Ignacio Nuñez shows up at the emergency room when the doctor is not at the hospital, he doesn’t have to wait long to start investigating what might be wrong.

The obstetrician/gynecologist can call up an expectant mother’s medical records on his iPhone, or even watch the fetus’s heartbeat on the device once the woman is connected to a hospital monitor, wherever he might be at the time.

…

According to AirStrip, the San Antonio software company that developed the app Nuñez uses, there is only a three- to five-second lag to get information to the physician’s mobile device. AirStrip also makes a version for cardiologists and has an upcoming version that will monitor other critical data in intensive care units and emergency rooms.

Groundbreaking, indeed. But what about from a security perspective? We’d like to hear from you if you work for a healthcare organization is using mobile devices this way.

Part 3, Conversation with Martin Rosner, Continua Health Alliance, on Consent Management

This week, we feature the final part of our conversation with Martin Rosner, director of standardization at Philips – North America. Rosner chairs Continua Health Alliance security and privacy discussions and contributes to relevant security initiatives within the healthcare industry. Continua Health Alliance is a non-profit, open industry organization of more than 230 healthcare and technology vendors focused on delivering interoperable health solutions.

VPN Haus: How can patients manage the sharing of their health data?
Martin Rosner: Sharing of health data can be realized only if there are means to prevent unauthorized access to the data and to protect it in accordance with security and privacy regulations. Furthermore, patient empowerment is an important aspect of preventative care—increasing the number of educated patients who have more control over their own healthcare increases the likelihood that conditions will be caught before they become more serious. Soon patients will have more fine-grained control over the dissemination of personally identifiable information as related to health status. Electronic consent that specifies and governs the use of patient health data will furthermore increase consistency, compliance and efficiency for both patients and healthcare providers in this process.

VPN Haus: What role does Continua play in this?
Rosner: Our architecture addresses several requirements enabling digital consent.  Patients should be able to define and manage their digital consent and privacy policies in a user-friendly manner, such as on an at-home device or online. Digital consent should propagate with patient data and systems of services and care providers should enforce this. Our 2011 guidelines will address the first two requirements, while work has begun to address the third requirement in the next release.

VPN Haus: Technically speaking, how does this consent management process work?
Rosner: Taking the enforcement piece aside, the 2011 specifications address consent management with the use of the HL7 CDA R2 Consent Directive standard. This recently approved draft standard for trial use defines a document format for digital consent and enables the expression of structured patient consent policies. An advantage is that it is based on CDA R2 therefore well-defined protocols exist for the exchange of these documents such as through the use of the IHE XD* family of profiles.