MOBILE HEALTH AND SECURITY

Ten Questions You Should Ask Before Implementing An mHealth Solution

By: Mary J. Cronin

MedHealthWorld

Feb 21, 2011

About the Author Mary J. Cronin, Ph.D. is a Professor of Information Systems at Boston College, Carroll School of Management. Her latest book, Smart Products, Smarter Services: Strategies for Embedded Control (Cambridge University Press, 2010), analyzes the impact of connected health solutions, mobile and wireless applications and medical devices on the healthcare industry. Dr. Cronin is an editor for MedHealthWorld, covering electronic medical records, healthcare IT and mHealth.

About Diversinet Diversinet Corp. (TSX Venture: DIV, OTCBB: DVNTF) provides a patented and proven secure application platform that enables healthcare organizations to rapidly deploy HIPAA-compliant mobile healthcare (mHealth) applications to anyone, anytime, anywhere, on mobile devices. Diversinets MobiSecure platform helps payers and providers meet growing needs for safe, convenient, on-the-go storage and sharing of personal health data. Connect with Diversinet Corp. at www.diversinet.com. Its tagline is Healthcare. Connected and Protected.

For More Information For more information about Diversinet, or for a discussion of mobile health solutions and strategies, you can send an email to sales@diversinet.com or visit the Diversinet website at www.diversinet.com.

Diversinet Corp., the Diversinet logos, MobiSecure and all other Diversinet product or service names are trademarks of Diversinet Corp. Diversinet products are covered by patents and other patents pending.

Table of Contents

EXECUTIVE SUMMARY ................................................................................................................... 4 INTRODUCTION ............................................................................................................................. 5 HIPAA SECURITY REQUIREMENTS: IMPLICATIONS FOR PROTECTING MOBILE PHI ............................ 6 THE MOBILE SECURITY VENDOR LANDSCAPE .................................................................................. 9 10 QUESTIONS TO ASK MHEALTH SOLUTION PROVIDERS ABOUT MOBILE HEALTH DATA AND PHI SECURITY........... 10 OVERVIEW OF MOBISECURE: CONNECTED AND PROTECTED MOBILE HEALTH DATA .......................11 MOBISECURE PLATFORM COMPONENTS............................................................................................... 11 IMPLEMENTING SECURE MOBILE HEALTH PROGRAMS: MOBISECURE CASE STUDIES.......................13 US ARMY MCARE FOR WOUNDED WARRIORS....................................................................................... 13 MIHEALTH AT THE BLUE SKY FAMILY HEALTH TEAM ............................................................................. 15 REFERENCES .................................................................................................................................16

E XECUTIVE S UMMARY
This Mobile Health and Security white paper analyzes HIPAA security requirements and mobile health security best practices to assist healthcare organizations in evaluating and implementing secure and fully compliant mobile health solutions. The section on HIPAA Security Requirements: Implications for Protecting Mobile PHI reviews the HIPAA Security Rule Technical Safeguards for Protected Health Information (PHI) and discusses the mobile security best practices that directly relate to each Technical Safeguard. With so many mobile health and mobile security solutions competing for attention in todays marketplace, its challenging to compare various implementation options and vendor security architectures. As a tool for evaluating vendor proposals for secure and compliant mobile health solutions, the Mobile Security Vendor Landscape section recommends 10 Questions To Ask MHealth Solution Providers About Mobile Health Data and PHI Security. The features of Diversinets MobiSecure Platform are presented as an example of a secure, scalable and fully compliant option for mobile health implementation in the Overview of MobiSecure: Connected and Protected Mobile Health Data section. This section explains the capabilities and applications of MobiSecure Publisher and MobiSecure SMS and illustrates MobiSecures security architecture for end-to-end protection of PHI across hundreds of mobile device platforms. While mobile health security is an essential foundation for mHealth implementation, the most important impact is improving patient health outcomes and caregiver effectiveness. The benefits of secure mobile health programs for caregivers and for patients are illustrated through MobiSecure case studies of the U.S. Armys mCare project and the Blue Sky Family Health Team in North Bay, Canada in the final section Implementing Secure Mobile Health Programs. Mobile health solutions have enormous potential to improve the quality of care for individual patients as well as overall healthcare system effectiveness. Mobile devices offer caregivers and healthcare consumers an always-on, two-way communication channel that can provide instant access to vital patient data, diagnostic test results, and care management for chronic diseases. MHealth applications can streamline routine processes such as appointment scheduling, medication reminders and prescription refills. However, even though the majority of U.S. consumers rely on their mobile phones as their primary means of communication and express a strong interest in using mHealth applications, many care providers and healthcare organizations do not yet offer their patients mobile access to personal health data. Concerns about mobile security and the implications of HIPAA security requirements for Protected Health Information (PHI) on mobile devices need to be addressed before mHealth applications can fulfill their promise.

I NTRODUCTION
Will 2011 mark a turning point in the adoption of mobile health applications and information services by health care organizations? Many indicators suggest so, including: Thousands of mobile health apps and wireless health monitoring devices are already available for health-conscious consumers. Smartphones and wireless devices with features that improve efficiency at the point of care are increasingly common among physicians and caregivers. Manhattan Research, in its annual "Taking the Pulse" study of physicians and health care technology, reported in April 2010 that 72% of doctors use smartphones personally and professionally, with that number expected to jump to 81% in 2012.i Implementation of electronic health records (EHR) and medical practice management tools is accelerating, spurred by the Health Information Technology for Economic and Clinical Health (HITECH) Act. This is providing a foundation for direct electronic communication with patients about everything from diagnostic test results to immunization records and medical appointments. New models of medical reimbursement that reward improved patient health outcomes are creating pressure to leverage the efficiency and immediacy of mobile interactions with patients.

On the consumer front, mobile phones have already become the primary means of communication. More than 292 million Americans or 90% of the U.S. population have a mobile phone.ii And whether the mobile subscriber is a teenager, a parent, or a senior citizen, the phone they already carry with them can become a vital source of medical information, healthcare support and interactions with caregivers and insurers. Despite these drivers, mHealth solutions are not yet available to the majority of patients who could benefit from them. Many healthcare providers and insurers still are on the sidelines when it comes to transmitting sensitive health information to patients mobile phones for a number of reasons: Concerns about the security of mobile devices The challenge of complying with the Health Insurance Portability and Accountability Act (HIPAA) privacy and security requirements for protected health information (PHI) in a mobile context. The proliferation of mobile devices, mHealth apps, and vendors offering different strategies for securing mobile health data.

To assist healthcare organizations in evaluating and implementing secure and compliant mobile health solutions, this White Paper analyzes how HIPAAs Technical Safeguards for securing protected health data apply in a mobile health setting. It recommends 10 Questions About Mobile Health Data and PHI Security that healthcare organizations should ask their solution providers and mobile health vendors.

Additionally, the features of Diversinets MobiSecure Platform are presented as an example of a secure, scalable and fully compliant option for mobile health implementation. The benefits of secure mobile health programs for caregivers and for patients are illustrated through MobiSecure case studies of the U.S. Armys mCare project and the Blue Sky Family Health Team in North Bay, Canada.

HIPAA SECURITY R EQUIREMENTS : I MPLICATIONS FOR PROTECTING M OBILE PHI

This section presents the relevant technical provisions of the HIPAA Security Rule regarding the responsibilities of hospitals, healthcare providers, insurers and payer organizations (collectively referred to as covered entities), as well as the companies with which they work to deliver services (referred to as business associates). It also discusses the risks covered entities incur by not addressing these rules and the penalties that may be imposed for PHI privacy and security breaches. How do the current HIPAA privacy and security requirements for safeguarding patient health data and PHI relate to the implementation of mobile health services? Mobile devices share some security vulnerabilities with electronic health records (EHR) communication via PCs, but the safeguards routinely applied to computing are not enough to ensure mobile phone PHI protection. Mobiles have additional, less well-known vulnerabilities that must be taken into consideration when implementing mobile security best practices. The HIPAA Security Rule, available on the Health and Human Services web site at http://www.hhs.gov, covers the security of PHI in electronic form and establishes national standards to protect individuals electronic PHI. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. iii This includes ensuring that business associates entrusted with PHI will establish policies and procedures to appropriately safeguard the PHI they receive, create, maintain, or transmit. For the past several years, healthcare organizations have focused on securing PHI on servers, Internetbased systems, and computers. Since mobile health still is in an early stage of adoption, the unique challenges of mobile PHI security have not received as much attention, but this is changing for a number of reasons: More caregivers and consumers routinely access confidential health data on mobile devices, making it critical to implement mobile-specific security solutions. Smartphones are overtaking laptops and PCs in popularity and numbers shipped. Attacks on mobile devices are forecast to increase dramatically over the next few years. Mobile subscribers often are unaware of the potential for these attacks and are less likely to take basic security precautions when accessing mobile data. Treating smartphones and mobile devices simply as another type of PC is not sufficient, as described by the National Institute of Standards and Testing (NIST), which states, The security issues for cell phones and PDAs range beyond those of other computer equipment. Moreover, many common safeguards available for desktop and networked computers are generally not as readily available across a broad spectrum of handheld device types.iv
6

In evaluating the security risks of accessing and storing PHI on a mobile device, healthcare providers and payers should assume that the security built into todays mobile devices is not sufficient, regardless of operating systems, messaging capabilities or applications. As with protecting desktop data and the security of Internet transmissions, covered entities have to take additional steps to ensure that they and their business partners are meeting federal and state security requirements for mobile data security. The following table summarizes the most relevant HIPAA Security Rule provisions in relation to known mobile device and wireless security issues and lists mobile security best practices to overcome the risks for security breaches and exposure of PHI in mobile health communications and applications.
THE HIPPA SECURITY RULE: HIPAA TECHNICAL SAFEGUARDS MOBILE SECURITY BEST PRACTICES

Access Controls Unique User Identification (Required) Emergency Access Procedure (Required) Automatic Logoff (Addressable) Encryption (Addressable)

Provide method for the unique identification of both mobile device and individual device owner Enable generation and distribution of unique encryption keys to ensure that only authorized handsets are provisioned Provide automatic timeout, logoff and device lock Encryption of PHI data stored on the mobile device Generate confirmations of PHI message delivery and message read Client Authenticity and message integrity verification prior to routing PHI data Authentication of individual mobile user and identify the specific mobile device before allowing access to the secured PHI data on their device. PHI cannot be read by non - authorized users even if the phone owner forwards a message or resends it by mistake to another recipient, that recipient will not be able to read it because it remains encrypted and locked to that original phone Two way encryption for all PHI data transmitted to and from the mobile device

Audit Controls Record Internal Uses of PHI by User (Required) Integrity Mechanism to Authenticate Electronic PHI (Addressable) Person or Entity Authentication Person or Entity Seeking Access Is the One Claimed (Required)

Transmission Security Integrity Controls (Addressable) Encryption (Addressable)

Since the publication of the 2003 HIPAA Security Rule, the passage of both the American Recovery and Reinvestment Act (ARRA) and the HITECH law have added to the complexity of defining final rules for the implementation of electronic medical records, as well as for the enforcement of PHI privacy and security regulations. For instance:

The Security Rule requires a risk-based security assessment and the implementation of appropriate policies and procedures by covered entities, as well as by their business associates. ARRA extends the applicability of the HIPAA Security Rule directly to business associates and brings the Federal Trade Commission into the health regulatory landscape to regulate the privacy and security of Personal Health Record (PHR) systems. Designating security areas as addressable in the HIPAA Security Rule does not mean the practices are optional or that covered entities are not required to implement the security safeguards listed. For example, the HIPAA Final Security Rule of February 2003 states, Covered entities are encouraged to consider use of encryption technology for transmitting electronic protected health information, particularly over the Internet." The Centers for Medicare and Medicaid Services, which is responsible for enforcing the HIPAA Security Rule, recommends two-factor authentication as the authentication technical standard for remote access to PHI.

The past several years have been a transition period, as covered entities and healthcare vendors waited for publication of final data protection rules and clarification on the balance of responsibility for compliance between healthcare organizations and their vendors. The final rules are scheduled for publication in March 2011, meaning the transition period of relatively low enforcement is coming to an end. Analysts expect to see significantly more federal and state activity in enforcing the security and privacy requirements in 2011 and beyond, including the imposition of severe penalties on health organizations that demonstrate a pattern of non-compliance. According to Kirk Nahra, writing in the Privacy & Security Law Report,
The HITECH law presaged a substantial development in the overall environment for the protection of health care records. To date, however, almost two years since passage of the law, little has changed, beyond the important developments related to security breaches. Covered entities and their business associates have been forced to rely on their own best guesses about these new rules, in reviewing their compliance obligations and negotiating business associate contracts. Business associates and downstream contractors now face an enormous amount of confusion v and regulatory risk from these new rules.

Discussing What to Expect in Terms of Patient Privacy Enforcement in 2011, Doug Pollack predicts higher levels of PHI security enforcement actions are inevitable in the coming year.
The year of 2010 has been a key period of transition relative to the enforcement of healthcare patient privacy regulations in state and federal laws. It is well known that there has been little to no enforcement of privacy regulations under HIPAA, the Health Information Portability and Accountability Act, since it was passed in 1996. With the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act, added "teeth" now provide a basis for and encourage the enforcement of HIPAA privacy requirements.Whatever your view on the level of enforcement, there is no doubt that enforcement actions are on the rise, and that every hospital and other healthcare organization would be well served to revisit their level adherence to privacy compliance requirements under HITECH and any vi related state laws. 8

T HE M OBILE S ECURITY V ENDOR L ANDSCAPE

With strong indications that 2011 will see more emphasis on enforcement of PHI security compliance, including mobile health applications that provide PHI data, it is critical for all covered entities to review the mobile security practices of their vendors and business partners to ensure the implementation of mobile security best practices. Mobile health services and related responsibility for protecting PHI are often divided up among different vendors based on the type of mobile health solution that the vendor provides. A large number of new entrants and small mobile health companies are providing targeted wireless personal health monitoring devices and services that collect and transmit health data. An even larger number of smartphone application companies have developed specialized mHealth apps for patient monitoring, scheduling medical appointments, and medication reminders. At the other end of the vendor spectrum, well-established global technology service providers are adapting existing security products for the healthcare sector. Many of these vendors have limited experience protecting mobile health information across multiple mobile devices. Some issues include: Smartphone application developers are deploying mHealth apps that do not include secure messaging capabilities. Mobile device management services focus on provisioning and protecting the data on mobile devices and deleting all data from protected devices that are lost or stolen. But these vendors may not provide end-toend encryption for text messages exchanged among all types of mobile phones. Vendors that specialize in secure text messaging services provide encryption, but they are not responsible for the security of the data that is accessed from a phones mobile browser or stored on the device. A solution provider that follows best practices for securing PHI data within its own application or service can still place a patients PHI data at risk when it is accessed from other applications or when the mobile device is used on an unsecured network, such as Bluetooth or WiFi. If a mobile device picks up a virus or a subscriber downloads a rogue application that unleashes malware on the phone, the malware may override standard mobile browser security and expose the subscribers PHI. It may even turn the infected phone into a vector for attacking and infecting other users over unsecured networks. Lack of an end-to-end mobile security solution creates a gap in protection for mobile PHI that may put the covered entity at risk of security breaches.

In the current mobile healthcare landscape, decision makers need to ensure their vendors and business associates have adopted mobile security best practices and taken appropriate steps to provide a comprehensive PHI security solution. The following 10 questions about specific mobile security practices can assist healthcare organizations in assessing the level of HIPAA security compliance provided by their mobile health vendors.

10 Q UE S TI O N S T O A S K M H E AL TH S O L U TI O N P R O V I D E RS A B O U T M O BI L E H E AL T H D A T A AN D PHI S E C U R I TY
1. Do you provide security for PHI data over and above the general security features of the phones mobile browser and application platform? o If so, what forms of data security do you include in your solution? Data encryption Strong (two factor) authentication for the user and the server Integrity and Non-Repudiation of PHI Assurance that PHI data has not been changed or opened by an unauthorized party 2. If you provide encryption for PHI data as part of your solution, is the encryption end-to-end from the secure server to a secure client on the mobile device? Is data encrypted while stored on the mobile device? 3. Does your solution support encrypted text messaging (SMS)? 4. Can your solution be extended to protect PHI data in multiple applications (including those from other vendors) and mobile browsers, or is it limited to use with the solutions that you offer? 5. Do you provide a method for your customers to remotely delete all covered PHI data from lost or stolen devices? 6. On what mobile devices does your solution currently operate? If there are some mobile devices that are not covered, how is PHI data on these devices supposed to be protected? 7. Is your company primarily focused on the healthcare sector and the protection of mobile health data and services? o If you provide a general mobile security or other services for multiple industries, what percentage of your customers are in healthcare? 8. Can you provide reference accounts that have moved beyond pilot projects and fully implemented your solution? 9. What security standards are utilized in your solution? o Have you received any security certifications? 10. Does your solution provide all of the Technical Safeguards listed in the HIPAA Security Rule (both Required and Addressable)? o If not, what Safeguards are not provided?

10

O VERVIEW OF M OBI S ECURE : CONNECTED AND PROTECTED MOBILE

HEALTH DATA
To address these regulatory issues, Diversinet, a leader in advanced mobile health security solutions, designed the MobiSecure Platform. Its patent-protected, full-featured mobile security architecture enables healthcare organizations to rapidly deploy HIPAA-compliant mobile applications. It provides all of the tools needed to manage customized and third-party mobile applications, secure messaging and health information services that involve encrypted mobile transmission and secure storage of PHI. The security of MobiSecure Platform is formed around in-depth security design principles that provide controls at multiple levels of data storage, access and transfer. MobiSecure uses two-factor authentication technology for user and server authentication and state-of-the-art encryption techniques for data protection in transit and at rest. The MobiSecure Platform offers convenient and secure management of critical data and PHI, whether the information is sent via mobile phone, tablet, computer, or directly over Internet and wireless networks. By combining application development tools, mobile device management, security and messaging, Diversinets platform enables healthcare organizations to connect caregivers, personal health data and mobile patients with complete confidence that they are HIPAA and HITECH security compliant.

MOBISECURE PLATFORM COMPONENTS

MobiSecure Publisher The Publisher module supports implementation of advanced secure data messaging, such as alerts, question/response, and questionnaires. It includes a fully automated two-factor authentication product based on OATH standards, which provides a mobile One-Time Password (OTP) for online access. It is designed to be easy to deploy and easy to use for high volume internet and wireless based strong authentication of user identity. Other MobiSecure Publisher capabilities include: Content storage, publication, management and synchronization o Content sharing via fax, encrypted email and guest online access o Export and import of data files o Large files upload and remote mobile access and sharing Confirmation of delivery and display of information Dynamic over-the-air customization Active links/access to third-party mobile web apps Software update detection and download Multi-client app hosting and distribution Archiving user data changes Administration web interface Web Service Interfaces for customer app integration Integration with Clickatell for SMS delivery Integration with Esker services for fax delivery
11

MobiSecure SMS Enables secure and reliable two-way communication between customer Internet applications and mobile users. Messages confirmed on delivery or on display by the recipient, providing timing around delivery events and a more reliable communication than normal SMS messaging. All messages are encrypted in transit and in storage, ensuring confidentiality of the communication over non-secure SMS channels. MobiSecure SMS capabilities include: End-to-end encryption using dynamic per-message keys Encrypted security and privacy data in each message Mobile-originated messages contain OTP and encrypted data Delivery and read confirmation for sent and received messages Support for messages up to 1,400 characters PIN protection, auto lock and auto data wipe Device/User blocking capabilities Client authenticity and message integrity verification prior to routing messages Software update detection and download Secure address book Provider and patient web portals

The MobiSecure Platform was created to prevent unauthorized access to confidential data, enabling covered entities and their patients, caregivers, and partners to securely connect and communicate critical healthcare information to mobile devices with the utmost protection of PHI data, as illustrated.

MobiSecure Security Architecture

12

IMPLEMENTING CASE STUDIES

S ECURE M OBILE H EALTH PROGRAMS : MOBISECURE

Healthcare organizations of all types and sizes can benefit from secure mobile interactions between caregivers and patients. As these brief case studies describe, MobiSecure users are accomplishing numerous goals, including: Enabling secure mobile communication of PHI and specialized healthcare advice between high-risk patient populations and care givers Improving case management and treatment compliance Providing anywhere, anytime access to patients consolidated PHR Scheduling visits and treatments with caregivers and sending mobile appointment reminders Reminding patients to take medications or follow programs to maintain their health Enabling patients to access health tips and actively manage chronic conditions

US ARMY MCARE FOR WOUNDED WARRIORS

The U.S. Army Medical Department needed a scalable and secure mobile solution to support the rehabilitation of up to 10,000 returning soldiers who serve in Community Based Warrior in Transition Units (CBWTUS), a program that affords injured soldiers from active and reserve components the opportunity to receive medical care and perform military support missions during the recovery period. The Army began a one-year mCare pilot program with Diversinet to focus on soldiers who had suffered traumatic brain injuries (TBI) and were convalescing at home. TBI presents unique challenges because case management was needed for geographically dispersed patients requiring varied interdisciplinary treatment. Symptoms of TBI, including headaches and depression, can hinder patients from completing their transition plan. Meanwhile, case managers, who are responsible for up to 50 patients at a time, are not always able to fulfill the goal of making weekly contact. The pilot mCare program was customized to provide patient status questionnaires related to tracking TBI-specific symptoms, along with appointment reminders, recovery goals and wellness tips. Using the mCare patient communications portal and administrator toolbox (at left), program participants activate the mCare application on their mobile. Once registered and authenticated, participants receive and reply to mCare messages and questions about the state of their health in real time, with all data and responses remaining secure. Regular patient responses enable Army care teams to monitor and track each patients progress in meeting recovery goals as reflected in data such as body weight, mood,
13

energy, sleep patterns, physical pain, and overall sense of well-being. The mCare program features a downloadable, HIPAA-compliant mobile application that enables daily two-way secure communication between patients and the Armys healthcare team (see illustration below). In addition to safeguarding the security of all patient health data, a key program requirement was availability of mCare across the very broad assortment of mobile phones. mCare participants currently are using more than 270 different mobile brands and models that are compatible with MobiSecure, demonstrating the depth and breadth of Diversinets carrier and device coverage. An evaluation of mCare results in June 2010 showed significant progress toward achieving the goals of the pilot project, including improving patient and provider satisfaction with case management services and improving overall patient compliance as measured by keeping appointments and responding to survey questions. The system demonstrated a significant improvement in appointment attendance rates, a key metric of the efficacy of mobile appointment reminders. In terms of satisfaction, nearly 75% of users surveyed preferred to receive contact with mCare more than once a week, and 65% reported that mCare improved their communications with their unit. Based on the success of the mCare pilot project, the U.S. Army contracted with Diversinet for a fiveyear continuation and expansion of the program, with a goal to improve healthcare communications and outcomes for thousands of Wounded Warriors.
M C A RE A T A

G L AN CE

14

MIHEALTH AT THE BLUE SKY FAMILY HEALTH TEAM

Dr. Wendy Graham, a general practitioner at the Blue Sky Family Health Team in North Bay, Ontario, has a mission to motivate and empower patients to be more proactive in managing their health. Providing each patient with online and mobile access to their Personal Health Records (PHR) and diagnostic test results seemed like a great start, but only if all the patient information could be secured and fully compliant with personal health data protection requirements. When Dr. Graham heard a Diversinet presentation on the MobiSecure Platform for mobile health security, she asked the company to collaborate on a customized solution that would help the Blue Sky Family Health Team to launch a secure PHR program designed to enable multiple forms of patient engagement and patient-care provider interactions. The result of this collaboration is the successful rollout of the Mihealth program and a HealthPass mobile application based on MobiSecure. With HealthPass downloaded and authenticated on their mobile phones, patients at Blue Sky can retrieve vital health data from their phone, including information on chronic conditions, allergies, prescription medicines, and immunizations. Physicians in the Blue Sky practice review all data on the server and can lock down data to prevent any unauthorized changes, providing assurance that the record is up to date and accurate. A secure access feature allows participants to control who can access their data and to designate appropriate family members to share and view the information. This helps coordinate the care of family members and of aging parents. A Mihealth patient portal also supports appointment scheduling, communication of test results, and medication reminders, as well as secure mobile communication between patients and care providers about specific health conditions and questions. Dr. Graham is enthusiastic about the immediate benefits of the program and about the long-term value of secure PHR and mobile health interactions for streamlining practice management, cost savings and improved health outcomes. We will see that these programs prevent unnecessary visits to the ER and motivate consumers to manage their health more effectively, she said. Her experience with the project reinforced her belief in widespread patient interest for accessing health data. What I realized during the pilot was the high level of pent-up patient demand to become full partners in their care management. Even patients I didnt expect to be interested wanted to participate in the program so they could know their numbers and take better care of themselves. Dr. Graham notes that patients, as well as physicians, want assurance that personal health information will be protected. The security features that underpin this application mitigate the risk for both providers and patients, she said. It can be time critical to notify patients of test results for blood work, pregnancy, and many other conditions. Its not good enough to leave a voicemail message, because we have no way of knowing if the message is delivered. And if clinicians send out unprotected e-mails or text messages to share test results with patients, they are taking on a big risk, and they still have no confirmation that the patient received the message. With this solution, you can ensure timely delivery of critical lab information to the authorized patient and see verification that the message was delivered and read by the patient. Implementing that level of real-time healthcare communication with all the required security and encryption is very satisfying.

15

REFERENCES
i

Manhattan Research, " Taking the Pulse U.S. -- Physicians and Emerging Information Technologies, 2010

CITA Semi-Annual Wireless Industry Survey, June 2010 online at: http://www.ctia.org/media/industry_info/index.cfm/AID/10316
iii

ii

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/

iv

Guidelines on Cell Phone and PDA Security, SP 800-124, October 2008, NIST, by Wayne Jansen, Karen Scarfone, p. 30

Kirk Nahra, The Top 10 Privacy and Security Developments to Watch in 2011 Privacy & Security Law Report, 10 PVLR 30, 01/03/2011. The Bureau of National Affairs, Inc.

vi

Doug Pollack, What to Expect in Terms of Patient Privacy Enforcement in 2011, IDexperts Blog, January 10, 2011

16