Case Study: Securing Patient Data on Smart Phones

Florida Hospital describes its strategy
Case Study: Securing Patient Data on Smart Phones
Hospitals and clinics that want to provide administrators and clinicians with smart phones need to make smart choices regarding key security issues.

Florida Hospital's selection of which smart phones to use was driven, in large part, by security factors, says Todd Frantz, associate chief technology officer for the Orlando hospital. Although many of the very latest smart phones designed for consumers offer intriguing applications and features, some lack adequate security for business use, he contends.

One security adviser urges healthcare organizations to take a close look at smart phones' features to help ensure compliance with federal regulations, including the HITECH Act.

"Obviously, the user functionality needs to be there, but a portable device that will be used to access or store confidential information really needs to have good security features too," says Kate Borten, president of the Marblehead Group. "Portable devices are at high risk of loss and theft, and organizations must protect their information assets, both to protect patients and to avoid regulatory penalties."

Frantz' advice to other hospitals choosing smart phones is:

  • Consider the business problem you are trying to solve and determine which device addresses it best.
  • Be sure to select a device designed to meet the needs of a large business enterprise.
  • Make sure any data exchanged is encrypted.

Nearly 2,000 users

Some 1,800 administrators and clinicians at the 2,200-bed Florida Hospital are using Blackberry devices from Research in Motion Ltd. for secure e-mail and text messaging. The Blackberries' security features won out over rival smart phone's more intriguing applications and interfaces.

"Blackberries aren't quite as cool and sexy and gee-whiz, whiz-bang fancy as other phones because they have some features that feel a little heavy compared to a purely consumer-focused device," Frantz acknowledges. "But the Blackberry people started with a secure platform mindset and are building toward a touchy-feely functionality, where some other companies are doing the opposite."

The Blackberry Enterprise Server Infrastructure makes managing security at the data center level easier, Frantz contends. The infrastructure contains "all of the tools to manage a fleet of Blackberries," he points out. "So, for example, one of our Blackberry administrators can change a setting for passwords. The platform pushes policy settings out to the handhelds."

Blackberry Enterprise Server communicates to the hospital's Microsoft Exchange e-mail servers, handling user authentication and encrypting all messages, Frantz says.

Next steps

For Florida Hospital, the initial "killer app" for smart phones was messaging, Frantz stresses. The hospital is not yet enabling clinicians to use Blackberries to link to clinical systems or devices, such as to view a cardiac waveform.

While it's relatively easy to configure the Blackberries for clinical system access, it's much tougher to gather the data from cardiac monitors and other systems, Frantz contends. "Collecting the data that you want to get to the Blackberries is much more work," he says. "I'm sure we'll get there eventually."

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network