The Office of the National Coordinator for Health IT is studying use of mobile devices in small healthcare environments. The goal: new mobile security guidance that will be released in 2013.

The Office of the National Coordinator for Health IT next spring will release a guidance to help small and mid-sized healthcare providers secure mobile devices. In preparing these best practices, ONC has several projects underway studying how mobile devices are used in these smaller healthcare environments.

“Because these devices are not stationary, they are prone to theft or to loss,” says Will Phelps, an IT security specialist working in the Office of the Chief Privacy Officer in an interview. The Office of Chief Privacy Officer is responsible for advising the National Coordinator and coordinating with other federal agencies, states, regional efforts and internationally on privacy, security, and health data stewardship issues.

In fact, 54% of the 464 HIPAA breaches affecting 500 or more individuals reported to the Department of Health and Human Services between September 2009 and July 2012 involved the loss or theft of unencrypted mobile devices such as laptops and storage devices.

Because smaller doctor practices generally don’t have a deep pool of resources to get data security help, ONC aims to assist these smaller healthcare providers in tackling health IT issues, including mobile security.

Among ONC’s efforts underway to study smaller providers is the Endpoint Security Project, in which ONC has built a lab mirroring health IT implementations commonly found in small and mid-sized doctor offices and healthcare settings, which frequently include tablet and laptop computers, smartphones, as well as desktops and storage media.

At the end of the Endpoint Security Project, ONC will release configuration settings to help small-to-moderate-sized providers safeguard their mobile devices for healthcare settings, he says. Initially, ONC aimed to issue a security guidance to small providers this fall, but that’s been pushed to the spring because the projects by ONC to study these small providers are still ongoing.

In the interview, Phelps also discusses:

ONC’s processes for developing best practices for small providers to securely use mobile devices, such as tablets and laptop computers;
Why many consumer-oriented mobile devices aren’t suitable for healthcare settings;
Why providers need to learn basic data security maneuvers, like how to turn on the encryption that some mobile devices, including iPads, now ship with.

It’s important for ONC to offer guidance to smaller healthcare providers because a lack of data security attention by these doctor practices can have a trickle-down effect that impacts more than just their own organizations.

“Smaller healthcare providers exchange data with other providers, including larger organizations. There’s potential to introduce risks to sensitive information in these environments,” he says. “You’re only a strong as the weakest link.”

Prior to joining ONC last year as a member of the Office of Chief privacy Officer’s health IT cybersecurity program team, Phelps spent more than a decade in other IT security positions within the federal government and commercial sectors. That work included information security related positions within FEMA and the National Institutes of Health.