iPhone 3GS: Headache or Cure for the IT Department?

I recently spoke to an IT director of a large hospital system that relies on Blackberry for meeting the mobile e-mail needs of their staff. Increasingly, he sees doctors carrying two devices—a Blackberry that the IT department provides and an iPhone that the doctors have purchased.

According to this IT director, the doctors were digging into their own pockets to pay for the iPhone because it makes their jobs easier. In addition, the doctors bought them because the hospitals did not support them.

The iPhone is a great reference platform, providing doctors with a superior Web experience and supplying them with almost 700 medical applications which are available from App Store. Three of the most popular of these apps are Epocrates Rx (free; epocrates.com/platforms/iphone), which provides a handy drug reference guide; iChart EMR ($139.99; caretools.com), which lets health professionals access electronic medical records; and OsiriX ($19.99; osirix-viewer.com/iphone), which lets doctors view radiological images. With the ultra-portable iPhone and a variety of excellent medical apps available, healthcare professionals no longer need to lug a laptop around with them.

HIPAA compliance

Until recently, most hospital IT departments did not support the iPhone because of data security and HIPAA compliance concerns. But doctors are adopting the iPhone in droves, and IT professionals realize that they have to develop a mobility management platform to monitor the synching of these mobile devices.

To help organizations develop an effective strategy for safeguarding smartphones and PDAs, the Centers for Medicare and Medicaid Services (CMS) has published HIPAA Security Guidance for Remote Use of and Access to Electronic Protected Health Information (ePHI). This document helps healthcare IT departments determine the best way to support ePHI available to mobile healthcare users. Here is a four-step roadmap to HIPAA compliance for the iPhone.

Step 1: Know your mobile users

The IT department needs to understand how its mobile, healthcare professionals access and use the information. With a growing number of healthcare-related titles in the App Store, the 
iPhone can potentially store a wide variety of ePHI. This includes electronic patient records, hospital e-mail, and more. Documenting the flow of healthcare information to and from the iPhone is the upfront work that needs to be done before IT personnel can develop a comprehensive security strategy for remote access of ePHI.

Step 2: Evolve your mobility strategy

Many IT organizations fail to recognize that their Blackberry-oriented, one-size-fits all strategy is no longer enough. With multiple modes of communication, significant processing power, and a large array of applications, the iPhone is becoming a necessity for healthcare workers. Your IT department’s mobility strategy needs to evolve to include the iPhone (and other devices).

Step 3: Put safeguards in place

To fully comply with the CMS guidance, healthcare IT departments must implement a wide security array including endpoint security, network access control, and user compliance. The 
iPhone 3GS makes the grade for HIPAA compliance with features such as always-on data encryption, but you also need a centralized console with device management facilities and reporting tools. The ideal platform solution must include:

  • A self-service portal that allows end-users to activate policies on their personal device.
  • A flexible device agent that lets IT departments secure and manage a wide variety of device platforms.
  • Policy-controlled security that protects against hacker access and device loss.
  • A dedicated and centralized management console decoupled from your e-mail server to simplify policy implementation and user support.
  • A compliance management and reporting facility to ensure that users adhere to IT policy and provide compliance proof.

Step 4: Enforce user compliance

An organization’s HIPAA security policies are only effective if users comply with them, so make sure that your mobile device security policies are persistent. IT professionals need compliance management facilities that use smartphone-aware Network Access Control (NAC) to make sure that users “tow the line.” These intelligent filters, deployed in the network DMZ, compel users to follow IT policies by making access to e-mail contingent upon device compliance. In essence, the security posture of the iPhone is checked whenever it syncs e-mail and data is only transmitted to iPhones that have been secured per the Federal government’s guidelines.

Follow these four steps, and your CIO/IT team can be confident that sensitive network data and patient information will remain secure on the iPhone, or any mobile device.

Creating a HIPAA-compliant IT solution
Fall 2009
TOC Weight: