APIs, Encryption Essential for Secure Access to Mobile Health Data: Report

Integrating the Healthcare Enterprise, a standards-development organization, is calling for an API, encryption, and use of imaging and interoperability protocols to enable secure access to health data on mobile devices.

An application programming interface (API) and encryption are essential for ensuring secure access to health documents on mobile devices, according to guidelines published by Integrating the Healthcare Enterprise (IHE).

Supported by the Health Information Management and Systems Society (HIMSS) and Radiological Society of North America (RSNA), IHE promotes universal accessibility for electronic health records (EHRs) and tests health care IT products.

It has unveiled a set of guidelines for health providers, vendors and health information exchanges (HIEs) on how to make health documents on mobile devices interoperable. Through July 5, IHE will accept public comments on the document.

IHE pushes for better implementation of IT systems in health care. As a standards-development organization, it also advocates the use of standards such as Digital Imaging and Communications in Medicine (DICOM) and Health Level Seven International (HL7), a protocol on the interoperability of documents.

Published June 5 and announced June 18, the "Mobile Access to Health Documents" (MHD) guide is geared toward management of home health monitoring devices, patient kiosks in hospitals and personal health records that consumers use, according to IHE.

Vendors that make electronic measurement devices that draw patient medical histories from an EHR or HIE should also follow the guidelines, the organization reported.

The MHD document calls for an API that enables authorized access to health data, according to IHE. This data exchange would also be dependent on queries of health metadata that conform to the Representational State Transfer (REST) Web design model.

IHE's report discusses the role of Cross-Enterprise Document Sharing (XDS) in document exchange.

"It is intended to be closely tied, and complementary to, the IHE Cross-Enterprise Document Sharing [or XDS] profile, which is the foundational standard for information exchange for almost all HIEs in operation," Jim St. Clair senior director for interoperability and standards at HIMSS, told eWEEK in an email.

"The XDS profile is specifically designed to support the needs of Cross-Enterprise security, privacy [and] interoperability," the report stated. "[It] includes characteristics to support this level of policy and operational needs."

IHE's mobile health guidelines simplify data exchange for single policy domain use, according to the document.

In addition, IHE's report also addresses how to make the information exchange seamless. For this to happen, the data transaction must be simple to conform to the constraints of the mobile device, said St. Clair. The data must also support encryption as well as device and user authentication, he said.

Ordinary use of HTTP and REST are usually suitable for less sensitive data than for health, according to the IHE. To deal with these security concerns, the IHE recommends a risk assessment for the design of health apps on mobile devices.

To secure the interoperable sharing of health data on mobile devices, the IHE recommends the use of Transport Layer Security (TLS) to encrypt data over the Internet.

Technical limitations hamper information exchange on mobile devices, according to the IHE document.

"While mobile devices are growing increasingly sophisticated, they still have certain technical constraints in their ability to exchange information securely, yet as 'richly' as with larger systems," said St. Clair. "This profile helps implementers address those constraints and maintain security and simplify the interactions."