mhealth security cronin

7/29/2019 Mhealth Security Cronin

1/16

MOBILE HEALTH AND SECURITY

Ten Questions You Should Ask

Before Implementing An mHealth Solution

By: Mary J. CroninMedHealthWorld

Feb 21, 2011


2/16

2

About the Author

Mary J. Cronin, Ph.D. is a Professor of Information Systems at Boston College, Carroll School of

Management. Her latest book, Smart Products, Smarter Services: Strategies for Embedded Control

(Cambridge University Press, 2010), analyzes the impact of connected health solutions, mobile and

wireless applications and medical devices on the healthcare industry. Dr. Cronin is an editor for

MedHealthWorld, covering electronic medical records, healthcare IT and mHealth.

About Diversinet

Diversinet Corp. (TSX Venture: DIV, OTCBB: DVNTF) provides a patented and proven secure application

platform that enables healthcare organizations to rapidly deploy HIPAA-compliant mobile healthcare

(mHealth) applications to anyone, anytime, anywhere, on mobile devices. Diversinets MobiSecure

platform helps payers and providers meet growing needs for safe, convenient, on-the-go storage and

sharing of personal health data. Connect with Diversinet Corp. at www.diversinet.com. Its tagline is

Healthcare. Connected and Protected.

For More Information

For more information about Diversinet, or for a discussion of mobile health solutions and strategies,

you can send an email to [email protected] or visit the Diversinet website at www.diversinet.com.

Diversinet Corp., the Diversinet logos, MobiSecure and all other Diversinet product or service names

are trademarks of Diversinet Corp. Diversinet products are covered by patents and other patents

pending.


3/16

3

Table of Contents

EXECUTIVE SUMMARY ................................................................................................................... 4INTRODUCTION ............................................................................................................................. 5HIPAA SECURITY REQUIREMENTS: IMPLICATIONS FOR PROTECTING MOBILE PHI ............................ 6THE MOBILE SECURITY VENDOR LANDSCAPE .................................................................................. 9

10QUESTIONS TO ASK MHEALTH SOLUTION PROVIDERS ABOUT MOBILE HEALTH DATA AND PHISECURITY........... 10

OVERVIEW OF MOBISECURE: CONNECTED AND PROTECTED MOBILE HEALTH DATA .......................11MOBISECUREPLATFORMCOMPONENTS............................................................................................... 11IMPLEMENTING SECURE MOBILE HEALTH PROGRAMS: MOBISECURE CASE STUDIES.......................13USARMYMCAREFORWOUNDEDWARRIORS....................................................................................... 13MIHEALTHATTHEBLUESKYFAMILYHEALTHTEAM ............................................................................. 15

REFERENCES .................................................................................................................................16


4/16

4

EXECUTIVE SUMMARY

This Mobile Health and Security white paper analyzes HIPAA security requirements and

mobile health security best practices to assist healthcare organizations in evaluating and

implementing secure and fully compliant mobile health solutions. The section on HIPAASecurity Requirements: Implications for Protecting Mobile PHI reviews the HIPAA Security

Rule Technical Safeguards for Protected Health Information (PHI) and discusses the mobile

security best practices that directly relate to each Technical Safeguard.

With so many mobile health and mobile security solutions competing for attention in todays

marketplace, its challenging to compare various implementation options and vendor security

architectures. As a tool for evaluating vendor proposals for secure and compliant mobile

health solutions, the Mobile Security Vendor Landscape section recommends 10 Questions

To Ask MHealth Solution Providers About Mobile Health Data and PHI Security.

The features of Diversinets MobiSecure Platform are presented as an example of a secure,

scalable and fully compliant option for mobile health implementation in the Overview of

MobiSecure: Connected and Protected Mobile Health Data section. This section explains the

capabilities and applications of MobiSecure Publisher and MobiSecure SMS and illustrates

MobiSecures security architecture for end-to-end protection of PHI across hundreds of

mobile device platforms.

While mobile health security is an essential foundation for mHealth implementation, the most

important impact is improving patient health outcomes and caregiver effectiveness. The

benefits of secure mobile health programs for caregivers and for patients are illustrated

through MobiSecure case studies of the U.S. Armys mCare project and the Blue Sky Family

Health Team in North Bay, Canada in the final section Implementing Secure Mobile Health

Programs.

Mobile health solutions have enormous potential to improve the quality of care for individual

patients as well as overall healthcare system effectiveness. Mobile devices offer caregivers

and healthcare consumers an always-on, two-way communication channel that can provide

instant access to vital patient data, diagnostic test results, and care management for chronic

diseases. MHealth applications can streamline routine processes such as appointment

scheduling, medication reminders and prescription refills. However, even though the majority

of U.S. consumers rely on their mobile phones as their primary means of communication and

express a strong interest in using mHealth applications, many care providers and healthcare

organizations do not yet offer their patients mobile access to personal health data. Concerns

about mobile security and the implications of HIPAA security requirements for Protected

Health Information (PHI) on mobile devices need to be addressed before mHealth applications

can fulfill their promise.


5/16

5

INTRODUCTIONWill 2011 mark a turning point in the adoption of mobile health applications and information services

by health care organizations? Many indicators suggest so, including:

Thousands of mobile health apps and wireless health monitoring devices are already availablefor health-conscious consumers.

Smartphones and wireless devices with features that improve efficiency at the point of careare increasingly common among physicians and caregivers. Manhattan Research, in its annual

"Taking the Pulse" study of physicians and health care technology, reported in April 2010 that

72% of doctors use smartphones personally and professionally, with that number expected to

jump to 81% in 2012.i

Implementation of electronic health records (EHR) and medical practice management tools isaccelerating, spurred by the Health Information Technology for Economic and Clinical Health

(HITECH) Act. This is providing a foundation for direct electronic communication with patients

about everything from diagnostic test results to immunization records and medical

appointments.

New models of medical reimbursement that reward improved patient health outcomes arecreating pressure to leverage the efficiency and immediacy of mobile interactions with

patients.

On the consumer front, mobile phones have already become the primary means of communication.

More than 292 million Americans or 90% of the U.S. population have a mobile phone.ii

And

whether the mobile subscriber is a teenager, a parent, or a senior citizen, the phone they already carry

with them can become a vital source of medical information, healthcare support and interactions with

caregivers and insurers.

Despite these drivers, mHealth solutions are not yet available to the majority of patients who could

benefit from them. Many healthcare providers and insurers still are on the sidelines when it comes to

transmitting sensitive health information to patients mobile phones for a number of reasons:

Concerns about the security of mobile devices The challenge of complying with the Health Insurance Portability and Accountability Act

(HIPAA) privacy and security requirements for protected health information (PHI) in a mobile

context.

The proliferation of mobile devices, mHealth apps, and vendors offering different strategiesfor securing mobile health data.

To assist healthcare organizations in evaluating and implementing secure and compliant mobile health

solutions, this White Paper analyzes how HIPAAs Technical Safeguards for securing protected health

data apply in a mobile health setting. It recommends 10 Questions About Mobile Health Data and PHI

Securitythat healthcare organizations should ask their solution providers and mobile health vendors.


6/16

6

Additionally, the features of Diversinets MobiSecure Platform are presented as an example of a

secure, scalable and fully compliant option for mobile health implementation. The benefits of secure

mobile health programs for caregivers and for patients are illustrated through MobiSecure case

studies of the U.S. Armys mCare project and the Blue Sky Family Health Team in North Bay, Canada.

HIPAA SECURITY REQUIREMENTS : IMPLICATIONS FORPROTECTING MOBILE PHI This section presents the relevant technical provisions of the HIPAA Security Rule regarding the

responsibilities of hospitals, healthcare providers, insurers and payer organizations (collectively

referred to as covered entities), as well as the companies with which they work to deliver services

(referred to as business associates). It also discusses the risks covered entities incur by not

addressing these rules and the penalties that may be imposed for PHI privacy and security breaches.

How do the current HIPAA privacy and security requirements for safeguarding patient health data and

PHI relate to the implementation of mobile health services? Mobile devices share some security

vulnerabilities with electronic health records (EHR) communication via PCs, but the safeguards

routinely applied to computing are not enough to ensure mobile phone PHI protection. Mobiles have

additional, less well-known vulnerabilities that must be taken into consideration when implementing

mobile security best practices.

The HIPAA Security Rule, available on the Health and Human Services web site at http://www.hhs.gov,

covers the security of PHI in electronic form and establishes national standards to protect individuals

electronic PHI. The Security Rule requires appropriate administrative, physical and technical

safeguards to ensure the confidentiality, integrity, and security of electronic protected health

information.iii

This includes ensuring that business associates entrusted with PHI will establish policies

and procedures to appropriately safeguard the PHI they receive, create, maintain, or transmit.

For the past several years, healthcare organizations have focused on securing PHI on servers, Internet-

based systems, and computers. Since mobile health still is in an early stage of adoption, the unique

challenges of mobile PHI security have not received as much attention, but this is changing for a

number of reasons:

More caregivers and consumers routinely access confidential health data on mobile devices,making it critical to implement mobile-specific security solutions.

Smartphones are overtaking laptops and PCs in popularity and numbers shipped.

Attacks on mobile devices are forecast to increase dramatically over the next few years. Mobile subscribers often are unaware of the potential for these attacks and are less likely to

take basic security precautions when accessing mobile data.

Treating smartphones and mobile devices simply as another type of PC is not sufficient, asdescribed by the National Institute of Standards and Testing (NIST), which states, The security

issues for cell phones and PDAs range beyond those of other computer equipment. Moreover,

many common safeguards available for desktop and networked computers are generally not

as readily available across a broad spectrum of handheld device types.iv


7/16

7

In evaluating the security risks of accessing and storing PHI on a mobile device, healthcare providers

and payers should assume that the security built into todays mobile devices is not sufficient,

regardless of operating systems, messaging capabilities or applications. As with protecting desktop

data and the security of Internet transmissions, covered entities have to take additional steps to

ensure that they and their business partners are meeting federal and state security requirements for

mobile data security.

The following table summarizes the most relevant HIPAA Security Rule provisions in relation to known

mobile device and wireless security issues and lists mobile security best practices to overcome the

risks for security breaches and exposure of PHI in mobile health communications and applications.

Since the publication of the 2003 HIPAA Security Rule, the passage of both the American Recovery and

Reinvestment Act (ARRA) and the HITECH law have added to the complexity of defining final rules for

the implementation of electronic medical records, as well as for the enforcement of PHI privacy and

security regulations. For instance:

Two way encryption for all PHI data

transmitted to and from the mobile device

Transmission Security

Integrity Controls (Addressable) Encryption (Addressable)

Authentication of individual mobile user and

identify the specific mobile device before

allowing access to the secured PHI data on

their device.

PHI cannot be read by non -authorized users

even if the phone owner forwards a

message or resends it by mistake to another

recipient, that recipient will not be able to

read it because it remains encrypted and

locked to that original phone

Person or Entity Authentication

Person or Entity Seeking Access Is the One

Claimed (Required)

Client Authenticity and message integrity

verification prior to routing PHI data

Integrity

Mechanism to Authenticate Electronic PHI

(Addressable)

Generate confirmations of PHI message

delivery and message read

Audit Controls

Record Internal Uses of PHI by User

(Required)

Provide method for the unique

identification of both mobile device and

individual device owner

Enable generation and distribution of

unique encryption keys to ensure that onlyauthorized handsets are provisioned

Provide automatic timeout, logoff and

device lock

Encryption of PHI data stored on the mobile

device

Access Controls

Unique User Identification (Required)

Emergency Access Procedure (Required)

Automatic Logoff (Addressable)

Encryption (Addressable)

MOBILE SECURITY BEST PRACTICESTHE HIPPA SECURITY RULE:

TECHNICAL SAFEGUARDS

Two way encryption for all PHI data

transmitted to and from the mobile device

Transmission Security

Integrity Controls (Addressable) Encryption (Addressable)

Authentication of individual mobile user and

identify the specific mobile device before

allowing access to the secured PHI data on

their device.

PHI cannot be read by non -authorized users

even if the phone owner forwards a

message or resends it by mistake to another

recipient, that recipient will not be able to

read it because it remains encrypted and

locked to that original phone

Person or Entity Authentication

Person or Entity Seeking Access Is the One

Claimed (Required)

Client Authenticity and message integrity

verification prior to routing PHI data

Integrity

Mechanism to Authenticate Electronic PHI

(Addressable)

Generate confirmations of PHI message

delivery and message read

Audit Controls

Record Internal Uses of PHI by User

(Required)

Provide method for the unique

identification of both mobile device and

individual device owner

Enable generation and distribution of

unique encryption keys to ensure that onlyauthorized handsets are provisioned

Provide automatic timeout, logoff and

device lock

Encryption of PHI data stored on the mobile

device

Access Controls

Unique User Identification (Required)

Emergency Access Procedure (Required)

Automatic Logoff (Addressable)

Encryption (Addressable)

MOBILE SECURITY BEST PRACTICESTHE HIPAA SECURITY RULE:

TECHNICAL SAFEGUARDS


8/16

8

The Security Rule requires a risk-based security assessment and the implementation ofappropriate policies and procedures by covered entities, as well as by their business

associates.

ARRA extends the applicability of the HIPAA Security Rule directly to business associates andbrings the Federal Trade Commission into the health regulatory landscape to regulate the

privacy and security of Personal Health Record (PHR) systems.

Designating security areas as addressable in the HIPAA Security Rule does not mean thepractices are optional or that covered entities are not required to implement the security

safeguards listed. For example, the HIPAA Final Security Rule of February 2003 states,

Covered entities are encouraged to consider use of encryption technology for transmitting

electronic protected health information, particularly over the Internet."

The Centers for Medicare and Medicaid Services, which is responsible for enforcing the HIPAASecurity Rule, recommends two-factor authentication as the authentication technical standard

for remote access to PHI.

The past several years have been a transition period, as covered entities and healthcare vendors

waited for publication of final data protection rules and clarification on the balance of responsibilityfor compliance between healthcare organizations and their vendors. The final rules are scheduled for

publication in March 2011, meaning the transition period of relatively low enforcement is coming to

an end. Analysts expect to see significantly more federal and state activity in enforcing the security

and privacy requirements in 2011 and beyond, including the imposition of severe penalties on health

organizations that demonstrate a pattern of non-compliance.

According to Kirk Nahra, writing in the Privacy & Security Law Report,

The HITECH law presaged a substantial development in the overall environment for

the protection of health care records. To date, however, almost two years since

passage of the law, little has changed, beyond the important developments relatedto security breaches. Covered entities and their business associates have been

forced to rely on their own best guesses about these new rules, in reviewing their

compliance obligations and negotiating business associate contracts. Business

associates and downstream contractors now face an enormous amount of confusion

and regulatory risk from these new rules.v

Discussing What to Expect in Terms of Patient Privacy Enforcement in 2011, Doug Pollack predicts

higher levels of PHI security enforcement actions are inevitable in the coming year.

The year of 2010 has been a key period of transition relative to the enforcement of

healthcare patient privacy regulations in state and federal laws. It is well known that

there has been little to no enforcement of privacy regulations under HIPAA, theHealth Information Portability and Accountability Act, since it was passed in 1996.

With the enactment of the Health Information Technology for Economic and Clinical

Health (HITECH) Act, added "teeth" now provide a basis for and encourage the

enforcement of HIPAA privacy requirements.Whatever your view on the level of

enforcement, there is no doubt that enforcement actions are on the rise, and that

every hospital and other healthcare organization would be well served to revisit

their level adherence to privacy compliance requirements under HITECH and any

related state laws.vi


9/16

9

THE MOBILE SECURITY VENDOR LANDSCAPEWith strong indications that 2011 will see more emphasis on enforcement of PHI security

compliance, including mobile health applications that provide PHI data, it is critical for all

covered entities to review the mobile security practices of their vendors and business partners

to ensure the implementation of mobile security best practices.

Mobile health services and related responsibility for protecting PHI are often divided up

among different vendors based on the type of mobile health solution that the vendor

provides. A large number of new entrants and small mobile health companies are providing

targeted wireless personal health monitoring devices and services that collect and transmit

health data. An even larger number of smartphone application companies have developed

specialized mHealth apps for patient monitoring, scheduling medical appointments, and

medication reminders. At the other end of the vendor spectrum, well-established global

technology service providers are adapting existing security products for the healthcare sector.

Many of these vendors have limited experience protecting mobile health information across

multiple mobile devices. Some issues include:

Smartphone application developers are deploying mHealth apps that do not includesecure messaging capabilities. Mobile device management services focus on

provisioning and protecting the data on mobile devices and deleting all data from

protected devices that are lost or stolen. But these vendors may not provide end-to-

end encryption for text messages exchanged among all types of mobile phones.

Vendors that specialize in secure text messaging services provide encryption, but theyare not responsible for the security of the data that is accessed from a phones mobile

browser or stored on the device.

A solution provider that follows best practices for securing PHI data within its ownapplication or service can still place a patients PHI data at risk when it is accessed

from other applications or when the mobile device is used on an unsecured network,

such as Bluetooth or WiFi.

If a mobile device picks up a virus or a subscriber downloads a rogue application thatunleashes malware on the phone, the malware may override standard mobile

browser security and expose the subscribers PHI. It may even turn the infected phone

into a vector for attacking and infecting other users over unsecured networks.

Lack of an end-to-end mobile security solution creates a gap in protection for mobilePHI that may put the covered entity at risk of security breaches.

In the current mobile healthcare landscape, decision makers need to ensure their vendors

and business associates have adopted mobile security best practices and taken

appropriate steps to provide a comprehensive PHI security solution. The following 10

questions about specific mobile security practices can assist healthcare organizations in

assessing the level of HIPAA security compliance provided by their mobile health vendors.


10/16

10

10 QUESTIONS TO AS K MHEALTH SOLUTION PROVIDERS ABOUT MOBILE HEALTH

DATA AN D PHI SECURITY

1.Do you provide security for PHI data over and above the general securityfeatures of the phones mobile browser and application platform?

o If so, what forms of data security do you include in your solution? Data encryption Strong (two factor) authentication for the user and the server Integrity and Non-Repudiation of PHI Assurance that PHI

data has not been changed or opened by an unauthorized

party

2. If you provide encryption for PHI data as part of your solution, is theencryption end-to-end from the secure server to a secure client on the mobile

device? Is data encrypted while stored on the mobile device?

3.Does your solution support encrypted text messaging (SMS)?4.Can your solution be extended to protect PHI data in multiple applications

(including those from other vendors) and mobile browsers, or is it limited to

use with the solutions that you offer?

5.Do you provide a method for your customers to remotely delete all coveredPHI data from lost or stolen devices?

6.On what mobile devices does your solution currently operate? If there aresome mobile devices that are not covered, how is PHI data on these devices

supposed to be protected?

7.Is your company primarily focused on the healthcare sector and the protectionof mobile health data and services?

o If you provide a general mobile security or other services for multipleindustries, what percentage of your customers are in healthcare?

8.Can you provide reference accounts that have moved beyond pilot projectsand fully implemented your solution?

9.What security standards are utilized in your solution?oHave you received any security certifications?

10.Does your solution provide all of the Technical Safeguards listed in the HIPAASecurity Rule (both Required and Addressable)?

o If not, what Safeguards are not provided?


11/16

11

OVERVIEW OF MOBISECURE: CONNECTED AND PROTECTED MOBILE

HEALTH DATATo address these regulatory issues, Diversinet, a leader in advanced mobile health security solutions,

designed the MobiSecure Platform. Its patent-protected, full-featured mobile security architecture

enables healthcare organizations to rapidly deploy HIPAA-compliant mobile applications. It provides

all of the tools needed to manage customized and third-party mobile applications, secure messagingand health information services that involve encrypted mobile transmission and secure storage of PHI.

The security of MobiSecure Platform is formed around in-depth security design principles that provide

controls at multiple levels of data storage, access and transfer. MobiSecure uses two-factor

authentication technology for user and server authentication and state-of-the-art encryption

techniques for data protection in transit and at rest.

The MobiSecure Platform offers convenient and secure management of critical data and PHI, whether

the information is sent via mobile phone, tablet, computer, or directly over Internet and wireless

networks. By combining application development tools, mobile device management, security and

messaging, Diversinets platform enables healthcare organizations to connect caregivers, personal

health data and mobile patients with complete confidence that they are HIPAA and HITECH security

compliant.

MOBISECUREPLATFORM COMPONENTS

MobiSecure Publisher

The Publisher module supports implementation of advanced secure data messaging, such as

alerts, question/response, and questionnaires. It includes a fully automated two-factor

authentication product based on OATH standards, which provides a mobile One-TimePassword (OTP) for online access. It is designed to be easy to deploy and easy to use for high

volume internet and wireless based strong authentication of user identity.

Other MobiSecure Publisher capabilities include:

Content storage, publication, management and synchronizationo Content sharing via fax, encrypted email and guest online accesso Export and import of data fileso Large files upload and remote mobile access and sharing

Confirmation of delivery and display of information Dynamic over-the-air customization Active links/access to third-party mobile web apps Software update detection and download Multi-client app hosting and distribution Archiving user data changes Administration web interface Web Service Interfaces for customer app integration Integration with Clickatell for SMS delivery Integration with Esker services for fax delivery


12/16

12

MobiSecure SMS

Enables secure and reliable two-way communication between customer Internet applications and

mobile users. Messages confirmed on delivery or on display by the recipient, providing timing around

delivery events and a more reliable communication than normal SMS messaging. All messages are

encrypted in transit and in storage, ensuring confidentiality of the communication over non-secure

SMS channels.

MobiSecure SMS capabilities include:

End-to-end encryption using dynamic per-message keys Encrypted security and privacy data in each message Mobile-originated messages contain OTP and encrypted data Delivery and read confirmation for sent and received messages Support for messages up to 1,400 characters PIN protection, auto lock and auto data wipe Device/User blocking capabilities Client authenticity and message integrity verification prior to routing messages Software update detection and download Secure address book Provider and patient web portals

The MobiSecure Platform was created to prevent unauthorized access to confidential data, enabling

covered entities and their patients, caregivers, and partners to securely connect and communicate

critical healthcare information to mobile devices with the utmost protection of PHI data, as illustrated.

MobiSecure Security Architecture


13/16

13

IMPLEMENTING SECURE MOBILE HEALTH PROGRAMS: MOBISECURE

CASE STUDIES

Healthcare organizations of all types and sizes can benefit from secure mobile interactions between

caregivers and patients. As these brief case studies describe, MobiSecure users are accomplishing

numerous goals, including:

Enabling secure mobile communication of PHI and specialized healthcare advice betweenhigh-risk patient populations and care givers

Improving case management and treatment compliance Providing anywhere, anytime access to patients consolidated PHR Scheduling visits and treatments with caregivers and sending mobile appointment reminders Reminding patients to take medications or follow programs to maintain their health Enabling patients to access health tips and actively manage chronic conditions

US ARMYMCARE FOR WOUNDED WARRIORS

The U.S. Army Medical Department needed a scalable and secure mobile solution to support

the rehabilitation of up to 10,000 returning soldiers who serve in Community Based Warrior

in Transition Units (CBWTUS), a program that affords injured soldiers from active and reserve

components the opportunity to receive medical care and perform military support missions

during the recovery period. The Army began a one-year mCare pilot program with Diversinet

to focus on soldiers who had suffered traumatic brain injuries (TBI) and were convalescing at

home.

TBI presents unique challenges because case management was needed for geographically dispersed

patients requiring varied interdisciplinary treatment. Symptoms of TBI, including headaches and

depression, can hinder patients from completing their transition plan. Meanwhile, case managers,

who are responsible for up to 50 patients at a time, are not always able to fulfill the goal of making

weekly contact.

The pilot mCare program was customized to provide patient status questionnaires related to tracking

TBI-specific symptoms, along with appointment reminders, recovery goals and wellness tips.

Using the mCare patient communications

portal and administrator toolbox (at left),

program participants activate the mCare

application on their mobile. Once registered

and authenticated, participants receive andreply to mCare messages and questions about

the state of their health in real time, with all

data and responses remaining secure.

Regular patient responses enable Army care

teams to monitor and track each patients

progress in meeting recovery goals as

reflected in data such as body weight, mood,


14/16

14

energy, sleep patterns, physical pain, and overall sense of well-being.

The mCare program features a downloadable, HIPAA-compliant mobile application that enables daily

two-way secure communication between patients and the Armys healthcare team (see illustration

below). In addition to safeguarding the security of all patient health data, a key program requirement

was availability of mCare across the very broad assortment of mobile phones. mCare participants

currently are using more than 270 different mobile brands and models that are compatible with

MobiSecure, demonstrating the depth and breadth of Diversinets carrier and device coverage.

An evaluation of mCare results in June 2010 showed significant progress toward achieving the goals of

the pilot project, including improving patient and provider satisfaction with case management services

and improving overall patient compliance as measured by keeping appointments and responding to

survey questions.

The system demonstrated a significant improvement in appointment attendance rates, a key metric of

the efficacy of mobile appointment reminders. In terms of satisfaction, nearly 75% of users surveyed

preferred to receive contact with mCare more than once a week, and 65% reported that mCare

improved their communications with their unit.

Based on the success of the mCare pilot project, the U.S. Army contracted with Diversinet for a five-

year continuation and expansion of the program, with a goal to improve healthcare communications

and outcomes for thousands of Wounded Warriors.

MCARE A T A GLANCE


15/16

15

MIHEALTH AT THE BLUE SKYFAMILYHEALTH TEAM

Dr. Wendy Graham, a general practitioner at the Blue Sky Family Health Team in North Bay, Ontario,

has a mission to motivate and empower patients to be more proactive in managing their health.

Providing each patient with online and mobile access to their Personal Health Records (PHR) and

diagnostic test results seemed like a great start, but only if all the patient information could be

secured and fully compliant with personal health data protection requirements.

When Dr. Graham heard a Diversinet presentation on the MobiSecure Platform for mobile health

security, she asked the company to collaborate on a customized solution that would help the Blue Sky

Family Health Team to launch a secure PHR program designed to enable multiple forms of patient

engagement and patient-care provider interactions. The result of this collaboration is the successful

rollout of the Mihealth program and a HealthPass mobile application based on MobiSecure.

With HealthPass downloaded and authenticated on their mobile phones, patients at Blue Sky can

retrieve vital health data from their phone, including information on chronic conditions, allergies,

prescription medicines, and immunizations. Physicians in the Blue Sky practice review all data on the

server and can lock down data to prevent any unauthorized changes, providing assurance that the

record is up to date and accurate. A secure access feature allows participants to control who can

access their data and to designate appropriate family members to share and view the information.This helps coordinate the care of family members and of aging parents.

A Mihealth patient portal also supports appointment scheduling,

communication of test results, and medication reminders, as well

as secure mobile communication between patients and care

providers about specific health conditions and questions. Dr.

Graham is enthusiastic about the immediate benefits of the

program and about the long-term value of secure PHR and mobile

health interactions for streamlining practice management, cost

savings and improved health outcomes.

We will see that these programs prevent unnecessary visits to the

ER and motivate consumers to manage their health more effectively, she said. Her experience with

the project reinforced her belief in widespread patient interest for accessing health data. What I

realized during the pilot was the high level of pent-up patient demand to become full partners in their

care management. Even patients I didnt expect to be interested wanted to participate in the program

so they could know their numbers and take better care of themselves.

Dr. Graham notes that patients, as well as physicians, want assurance that personal health

information will be protected. The security features that underpin this application mitigate the risk

for both providers and patients, she said. It can be time critical to notify patients of test results for

blood work, pregnancy, and many other conditions. Its not good enough to leave a voicemail

message, because we have no way of knowing if the message is delivered. And if clinicians send out

unprotected e-mails or text messages to share test results with patients, they are taking on a big risk,

and they still have no confirmation that the patient received the message. With this solution, you can

ensure timely delivery of critical lab information to the authorized patient and see verification that the

message was delivered and read by the patient. Implementing that level of real-time healthcare

communication with all the required security and encryption is very satisfying.


16/16

16

REFERENCES

iManhattan Research, " Taking the Pulse U.S. -- Physicians and Emerging Information Technologies, 2010

iiCITA Semi-Annual Wireless Industry Survey, June 2010 online at:

http://www.ctia.org/media/industry_info/index.cfm/AID/10316

iiihttp://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/

ivGuidelines on Cell Phone and PDA Security, SP 800-124, October 2008, NIST, by Wayne Jansen, Karen Scarfone,

p. 30

vKirk Nahra, The Top 10 Privacy and Security Developments to Watch in 2011 Privacy & Security Law Report,

10 PVLR 30, 01/03/2011. The Bureau of National Affairs, Inc.

viDoug Pollack, What to Expect in Terms of Patient Privacy Enforcement in 2011, IDexperts Blog, January 10,

2011

mhealth security cronin

Documents