Use of mobile technology is ubiquitous in the current healthcare ecosystem. There are legal and ethical considerations when mobile devices (mDevices) are part of the care system. The U.S. Department of Health and Human Services Standards for Privacy of Individually Identifiable Health Information, the Health Insurance Portability and Accountability Act (1996) including Privacy Rule (2003) and Security Rule (2006), and Health Information Technology for Economic and Clinical Health (2009) aim to protect the privacy and security of individual health information. Regulations define expectations for privacy and security and describe consequences of non-compliance. Healthcare ethics is concerned with (1) providing care, (2) preventing harm (non-maleficence),(3) maintaining relationships, (4) meeting needs and respecting interdependence and (5) considering the care system context and situation (Mastrian, et al., 2019).
The Office of the National Coordinator for Health Information Technology provides guidance on the use of mobile devices in health care. They suggest the following five steps:
1. Decide: Will the mobile device be used to access, receive, transmit, store health information as part of an existing EHR?
2. Assess: Risks manifested in threats such as system vulnerability from unintentional breaches, outside hacks, intentional breaches and network issues
3. Identify: Strategies to manage risk and protect privacy and ensure security
4. Develop, Document, Implement: Mobile device use policies and procedures including bring your own device (BYOD) restrictions on use and security setting such as biometric or pass codes
5. Train: All users
The 5 steps above can be the foundation for creation of an inclusive smartphone/mDevice use plan informed upon by the stakeholders who are experts in their roles. These experts should include practitioners, educators, IT professionals, the legal department and Compliance/Risk managers. The 5 rights of Information Systems should be considered; (1) right info, (2) accessible by right people, (3) using right settings, (4) applied in the right way, (5) at the right time (McGonigle et al, 2021). Ideally institution provided devices should be maintained with the person or held in a secure environment, such as a locked workplace office or briefcase, when not in use. Access to applications or files containing PHI should be approved by IT/leadership prior to being granted. Options for levels of access or silo of certain information should be a systems consideration. Use of one’s own personal device should include additional specific appropriate plans. Access to devices should include multi-factor authentication based on what you know, what you have, and/or what you are. Opportunities for device securement include; screen lock codes, passphrases/words, biometrics, behavioral fingerprint, badge scan or QR code scan (Smith, et al., 2017 ). All users should be trained in the use of the technology from executory and philosophical/ethical perspectives including proper use and what to do if breaches, such as loss, theft, or compromise, occur. Users should sign a document demonstrating commitment to maintain security and privacy as well as maintaining their devices to expected standards, for example through software updates. Introduction to common security compromises including Malware and phishing should be included. Training should be ongoing with regularly scheduled updates and opportunities to retrain in the old and introduce new tech. Technology support must be available at all times to help support users. All data should be encrypted, transmitted through secured networks or proxy-servers such as Virtual Private Networks (VPN) or Application Interface Integrations (API) and backed up. Options for “ data wiping” devices or preventing further access should be in place. Security should be monitored through tracking of access, intrusion detection systems, and audits of use.
Mobile technology provides opportunity for immediate information access and integration of work into increasingly active and untethered lives. However, responsible use demands consideration and compliance with regulatory and ethical principles to ensure protection for all.
References
-Bromwich, M., & Bromwich, R. (2016). Privacy risks when using mobile devices in health
care. CMAJ : Canadian Medical Association journal = journal de l'Association medicale canadienne, 188(12), 855–856. https://doi.org/10.1503/cmaj.160026
-Department of Health and Human Services: HealthIT.gov.(n.d.). Managing Mobile Devices in
Your Health Care Organization. https://www.healthit.gov/sites/default/files/fact-sheet-managing-mobile-devices-in-your-health-care-organization.pdf.
-HealthIT.gov. (sept 23, 2019). Five Steps Organizations Can Take to Manage Mobile Devices
Used By Health Care Providers and Professionals.
https://www.healthit.gov/topic/privacy-security-and-hipaa/five-steps-organizations-can- take-manage-mobile-devices-used.
-Mastrian, K., McGonigle, D., Gialanella, K.M. (2021). Ethical and Legal Aspects of Health
Informatics. In K.G. Mastrian & D. McGonigle (eds.) Informatics for Health Professionals, 2nd ed, pp 69-108. Burlington, M.A: Jones and Bartlett Learning.
-McGonigle, D., & Mastrian, K. (2021). Systems Development Life Cycle. In K.G. Mastrian & D.
McGonigle (eds.) Informatics for Health Professionals, 2nd ed, pp. 109-121. Burlington, M.A: Jones and Bartlett Learning.
-McGonigle, D., Mastrian, K., McGonigle, C. (2021). Introduction to Information, Information Science,
and Information Systems. In K.G. Mastrian & D. McGonigle (eds.) Informatics for Health Professionals, 2nd ed, pp 19-30. Burlington, M.A: Jones and Bartlett Learning.
-NaseriBooriAbadi, T., & Sheikhtaheri, A. (2020). Information Privacy and Pervasive Health:
Frameworks at a Glance. Journal of biomedical physics & engineering, 10(5), 553–558. https://doi.org/10.31661/jbpe.v0i0.398.
-Reeves Bertin, L., McGonigle, D., Mastrian, K. (2021). Electronic Security. In K.G. Mastrian & D.
McGonigle (eds.) Informatics for Health Professionals, 2nd ed, pp. 157-170. Burlington, M.A: Jones and Bartlett Learning.
-Smith, K. A., Zhou, L., & Watzlaf, V. (2017). User Authentication in Smartphones for
Telehealth. International journal of telerehabilitation, 9(2), 3–12. https://doi.org/10.5195/ijt.2017.6226
-U.S. Department of Commerce: National Institute of Standards and Technology. (n.d.).
