I recently sent the following to a behavioral health researcher who was planning to develop a mobile application for clinicians that would include client information–I believe that it may be of interest to others who are considering the use of smart phones and laptops in their clinical practice:

“As you know, any high-technology product aimed at the medical market (defined in the sense of being subject to the Federal privacy regulations HIPAA and Hitech) needs to not only take all appropriate steps to protect the clients’ identity and other protected health information (PHI), but it must do so demonstrably. By that, I mean that it must protect the information and also appear to protect it to the satisfaction of funders, consumers and regulators.

“When we are serving the portion of the medical market which includes consumers of substance-abuse treatment (broadly defined) we must also satisfy the Federal privacy regulations found in 42 C.F.R. Part 2. These regulations represent a thornier matter for the provider of technology services not only because they are much stricter than HIPAA and Hitech, but they were written long before digital exchange of PHI was common, and thus were not written with an eye to ease of compliance (as were HIPAA and Hitech).

“In our particular application, then, we must look at two concerns:
- Will we be putting PHI at an unusual risk; and
- Will we be able to readily convince the reviewers at SAMHSA that our product is adequately secure.

“We all have heard about high-profile security breaches caused by sensitive data being stored on a portable device (typically a laptop) which is then either left in a public place or is stolen from a car or home. Credit card companies, hospitals and nuclear weapons laboratories have all found themselves on the front pages in recent years in this way, and they are never able to explain the breach away – because it is indefensible that the data in question were ever stored on a portable device in the first place.

“Portable devices are by their nature insecure. When we designed [a recent online assessment system], like any system designed to protect sensitive data, we designed “rings” of protection. The data were encrypted. Access to the servers both from the Internet and from within the data center was carefully restricted. And finally, physical access to the server devices was controlled in the most rigorous manner. This is, obviously, not possible with a laptop in the back seat of a car, in a hotel room or a living room table. This is even less possible with a cell phone, which will tend to be on its user’s person most of their waking hours and can be dropped or stolen as easily as a wallet or a pair of glasses.

“So, from my personal professional perspective, without a compelling reason to use the cell phone as the platform for this application, physical security concerns strongly suggest a more secure platform. Added to this is the relative newness of the Android or iOS (iPhone) software environments. With years of experience (years from now), we will have a good idea how to measure and mitigate risk on those platforms, as we have learned to measure and mitigate risk on the more mature hardware/software environments. While Android is based on a Linux kernel, which has a good history, its application on the cell phone hardware, using the cell network, is largely unproven ground. This also tends to concern me. I’m excited about Android and have plans to develop for it, but nothing that needs to be secure.

“The IT engineers at SAMHSA will be asking themselves similar questions, and will very possibly come to a similar conclusion. We will have to write a Security Plan and submit it to them, and it will not have the same components that they are expecting. Were we to put my concerns to rest, we would then have to do the same in the Security Plan, and I would expect that would be difficult to write, and would be given extremely close scrutiny.

“Taken as a whole, my considered judgment is that the prudent course of action would be to redesign the application to use a more conventional architecture – a server behind a firewall in a secure data center – one that we can be more confident of securing and more confident of getting approved.”