Third-year medical students’ knowledge of privacy and security issues concerning mobile devices

Abstract

Background: The use of mobile devices are ubiquitous in medical-care professional settings, but information on privacy and security concerns of mobile devices for medical students is scarce.

Aims: To gain baseline information about third-year medical students’ mobile device use and knowledge of privacy and security issues concerning mobile devices.

Methods: We surveyed 67 third-year medical students at a Midwestern university on their use of mobile devices and knowledge of how to protect information available through mobile devices. Students were also presented with clinical scenarios to rate their level of concern in regards to privacy and security of information.

Results: The most used features of mobile devices were: voice-to-voice (100%), text messaging (SMS) (94%), Internet (76.9%), and email (69.3%). For locking of one's personal mobile phone, 54.1% never physically lock their phone, and 58% never electronically lock their personal PDA. Scenarios considering definitely privacy concerns include emailing patient information intact (66.7%), and posting de-identified information on YouTube (45.2%) or Facebook (42.2%).

Conclusions: As the ease of sharing data increases with the use of mobile devices, students need more education and training on possible privacy and security risks posed with mobile devices.

Introduction

The use of personal digital assistants (PDAs) and other mobile devices is seemingly ubiquitous in the medical-care professional setting, as well as for medical education (Ward et al. 2001). As the trend continues toward more mobile computing, medical students will expect services and resources available for their mobile devices, both for personal and professional use. However, this ease of information sharing and access to information raises issues of appropriate uses of technology, especially concerning privacy and security of information. This article focuses on data collected to provide underlying information for the undergraduate medical students at the Indiana University School of Medicine (IUSM), their use of mobile devices in regards to their education and clinical experiences, and possible privacy and security scenarios of which students be cognizant in the medical field.

Background

According to a 2010 May report (Smith 2010b), 40% of Americans use a cell phone for accessing the Internet. In October 2010, another study showed that 85% of all American adults, 96% of those were aged 18–29 years, and 90% of those aged 30–49 years own a cell phone (Smith 2010a). Work has previously been done looking at the trends of handheld computing and mobile device use in graduate medical education (Barrett et al. 2004; Sutton et al. 2004; Mattana et al. 2005; Khan et al. 2007; Morris et al. 2007), with undergraduate medical students (Grasso et al. 2005; Kho et al. 2006; Kennedy et al. 2008; Norman et al. 2008; Chatterley & Chojecki 2010; Ferenchick et al. 2010; Lasserre et al. 2010), and the health care setting (Garritty & El Emam 2006; Ranson et al. 2007; Trelease 2008; Evans & Stacey 2009). Looking specifically at medical students, Grasso et al. (2005) surveyed preclinical and clinical medical students and found that the clinical students used drug references and medical calculators on their handheld device. Kho et al. (2006) found that 60–70% of medical students and residents use PDAs for education or clinical care. At IUSM we were interested in how our third-year medical students were using their PDAs and handheld devices. This is especially of interest to us because since 2004, the medical students are required to purchase and use a PDA to access the Clinical Encounters Real Time Tracking System (CERTTS) when they begin their clinical rotations in the third year. CERTTS was the first program of its kind in the country and integrates with the ANGEL learning management system (Bangert & Hatfield 2008). Additionally, at the time of this study, CERTTS currently runs on the Palm operating system (OS) or the Windows OS, but not on the operating systems for iPhone or Blackberry; for this reason, many students have both a PDA for the CERTTS program and an additional mobile device, their cell phone.

Table

Practice points

Use of mobile devices is ubiquitous among medical students. Medical students are using their mobile devices to access the Internet and their emails. The majority of medical students do not lock, either electronically or physically, their mobile devices when not in use. Education on possible security and privacy issues concerning mobile devices in healthcare settings should be addressed.

Aside from general mobile device use, we were also interested in privacy and security issues concerning mobile devices from the perspective of our medical students. Most of the research that has been done on social media use in medicine relates to professionalism (Gorrindo et al. 2008; Chretien et al. 2009; Strausburg 2011; Williams et al. 2011) and the benefit of using social media (Ben-Yakov & Snider 2011; Tilt et al. 2011; Wells 2011), but very little specifically addresses these topics in terms of privacy and security of mobile devices (Schuerenberg 2003; Pharow & Blobel 2008). While 128 out of all 132 accredited US medical schools have student guidelines available online, only 13 out of those 128 have guidelines/policies explicitly mentioning social media (Kind et al. 2010). At the time this survey was conducted (February 2010), IUSM did not have a social media policy; however, since summer 2010, the policy is available and posted online (Communications 2010). Additionally, the policy also provides links to social media policies of local teaching hospitals in which students have their clinical rotations. The purpose of this study was twofold: (1) to gain baseline information about the habits and experiences with mobile devices of our students and (2) to obtain baseline information on students’ knowledge of privacy and security issues concerning mobile devices.

Methods

After obtaining Institutional Review Board (IRB) approval, we surveyed pre-clinical medical students in February 2010 using our Mobile Device Questionnaire (MDQ), at the beginning of their clinical clerkship rotations in their third year. If students had more than one device, they could self-select to which device the questionnaire pertained. The first section of the MDQ covered basic demographics, followed by general mobile device information, such as which features of their mobile devices they use and length of time for that use. This was based on the previous work of LaRue et al. (2010). The third section addresses encryption, general security, and types of clinical information used on a mobile device. Section four presents clinical scenarios and use of mobile devices and allows respondents to rate their level of concern in regards to privacy and security of information in each scenario. The final section addresses information persistence (how long the information stays around) in mobile devices, presents a plethora of types of mobile applications possibly available on mobile devices, and the opportunity for those surveyed to provide specific applications available for their mobile devices. This article focuses on the information from section three (encryption and security) and section four (clinical scenarios regarding privacy and security).

Our research team met with the students at the beginning of their day to inform them of the opportunity to take the MDQ after lunch but before their afternoon session. This was a purely voluntary survey. We also posted a participant letter and link to the MDQ on our medical library news blog: http://granite.medlib.iupui.edu/rlmlnews/?p=529. The MDQ consisted of 40 questions that took 10–15 min to complete. We used the online survey tool SurveyMonkey to collect the data, then imported and analyzed the MDQ results using SPSS (now PASW) versions 17 and 18.

Results

Our response rate for those who came to the Intersession activities was 67 out of the 90 students, for a 74% response rate. Those invited face-to-face to take the survey were half of the student cohort on our main campus. There were no additional responses from the blog advertisement. Gender was split, with 55.2% (n = 37) of the respondents male and 44.8% (n = 30) of the respondents female. The age range is from 24 to 32 years, with a mean age of 25.76 years. The majority of respondents are white (80.6%), with 10.4% Asian, 4.5% Hispanic, and 3.0% black.

Mobile device features used

With 98.5% (n = 66) of medical students having a cell phone, the most used features were voice-to-voice (100%), text messaging (SMS) (94%), calendar (77%), Internet (76.9%), camera (70.3%), and email (69.3%). The majority (80%) of the features on a phone were used for 1–10 min/day, with voice-to-voice, internet, email, and text being used 11–30 min a day (see Table 1).

Table 1.  Mobile device features used during a normal weekday, in percents (n = 67)

	Minimal 1–10 min	Rarely 11–30 min	Sometimes 31–60 min	Often 1–2 h	Very often more than 3 h	Do not use	Feature not available
Talking (voice to voice)	16.7	42.4	24.2	12.1	4.5	0	0
Internet (http://www…)	21.5	35.4	9.2	10.8	0	15.4	7.7
Chatting (IM)	(30.8)	3.1	0	1.5	0	49.2	15.4
Email	20.0	29.2	12.3	7.7	0	21.5	9.2
Text Messaging (SMS)	27.3	27.3	22.7	15.2	1.5	4.5	1.5
Multimedia messaging (MMS) (picture and video messaging)	51.6	7.8	0	0	0	37.5	3.1
Camera	59.4	7.8	3.1	0	0	29.7	0
Calendar	38.5	23.1	7.7	7.7	0	21.5	1.5
Note pad	(38.1)	9.5	0	1.6	0	49.2	1.6
Address Book	(32.8)	14.1	12.5	0	0	37.5	3.1
GPS (maps)	32.3	13.8	4.6	1.5	0	29.2	18.5
FaceBook	(24.6)	18.5	7.7	1.5	0	35.4	12.3
Music player	(20.3)	7.8	9.4	9.4	0	45.3	7.8
Video player	(29.7)	4.7	0	3.1	0	53.1	9.4
University medical library's web pages	(24.6)	1.5	4.6	0	0	60.0	9.2

Note: The highest bolded percentages in the parentheses indicate percent of actual use; the highest percentage for that category is the do not use category.

Save, view, send, or create data

We asked if students save, view, or send patient data via mobile devices. Access is available via a secure, encrypted wireless network. Only 3.2% sometimes view patient data via their personal PDA, whereas 4.8% send patient data via their personal PDA. Additionally, 0% view any of the following on their mobile devices: patient records, appointments, lab data, photos or images, clinical documentation, or prescriptions. However, 49.1% wanted to view photos, radiologic images, and patient lab data, and 45.5% wanted to view clinical documentation.

Scenario questions

We created real-world scenarios, along with input from practitioners, regarding communication and sharing of patient data. All scenarios highlight the convenience and challenge of the ease of accessing and sharing information via mobile devices (and specifically smart phones). Students were provided a five-point Likert scale with each scenario to rate from “not a privacy concern” to “definitely a privacy concern”. For taking a picture of an interesting skin lesion on a mobile device and sending it to your classmate that missed it on his Ob/Gyn rotation, 87.4% found this to be at least somewhat of a privacy concern. With a case of suspected child abuse and taking pictures of the child's injuries on your phone to share with authorities, 79% thought this was at least somewhat of a privacy concern (39.7% considering it definitely a concern). Several scenarios were posed concerning sharing information about a patient's history and physical (H&P) with mobile devices. Students rated the scenario of emailing an H&P to their professor with de-identified information via a mobile device as a privacy concern at 22.3%, but if the information was still identifiable, 88.7% saw this scenario as posing a privacy concern. Reading an email with a de-identified H&P on a mobile device rating similarly to emailing that type of information (22.6% saw this as a concern). When presented with the scenario of texting the incoming on-call resident that “Mr. Johnson is especially grumpy tonight”, 71.6% thought this scenario was at least somewhat of a privacy concern (26.9% considering it definitely a concern). Posting a de-identified picture of a patient on Facebook was at least somewhat of a privacy concern for 85.1% (40.3% considered it definitely a concern). Posting a de-identified procedure of a patient on YouTube was also at least somewhat of a privacy concern for 85.1% (41.8% considered it definitely a concern). Leaving your mobile phone alone, turned on, not password-protected, in a room full of fellow students/colleagues for 5 min or less, 54% found this to be at least somewhat of a privacy concern (12.7% considered it definitely a concern). In the same scenario, but with the phone left unattended for 30–60 min, 64.1% found this to be somewhat of a privacy concern (23.4% considered it definitely a concern) (see Table 2).

Table 2.  Privacy and security scenarios, with answers on a five-point Likert Scale, ranging from not a privacy concern to definitely a privacy concern

Question	Not a privacy concern		Somewhat a privacy concern		Definitely a privacy concern
On rotations, you saw a really cool skin lesion that your buddy on Ob/Gyn rotation missed. You snapped a picture via your phone and sent it to him.
	6.3%	6.3%	32.8%	9.4%	45.3%
While on pediatric rotation, a case of suspected child abuse comes in. You took pictures of the child's injuries on your phone to share with authorities.
	14.3%	6.3%	34.9%	4.8%	39.7%
Emailed history & physical (H&P) to professor w/de-identified information via mobile device.
	58.7%	19.0%	17.5%	1.6%	3.2%
Emailed (H&P) to professor with patient information intact via mobile device.
	3.2%	8.1%	8.1%	12.9%	67.7%
Read an email with de-identified H&P information via mobile device.
	58.1%	19.4%	19.4%	1.6%	1.6%
Texted incoming on-call resident that Mr. Johnson is especially grumpy tonight.
	4.8%	19.0%	33.3%	14.3%	28.6%
Posted de-identified procedure of a patient on Facebook.
	4.7%	6.3%	26.6%	20.3%	42.2%
Posted de-identified procedure of a patient on YouTube.
	1.6%	6.5%	22.6%	24.2%	45.2%
Leaving my mobile device alone, turned on, not password protected, in a room full of fellow students/colleagues for 5 min or less.
	23.8%	22.2%	30.2%	11.1%	12.7%
Leaving my mobile device alone, turned on, not password protected, in a room full of fellow students/colleagues for 30–60 min.
	17.2%	18.8%	26.6%	14.1%	23.4%

Note: Highest percentage for each response is bolded.

Locking/securing mobile devices

Focusing on personal mobile phones and personal PDAs (an additional device to a phone), we were interested in how often their mobile devices are secured, either physically or electronically. For physically locking of one's personal mobile phone, 26.3% always or frequently lock their phone (in a drawer, car, or home), 19.7% sometimes or rarely lock their phone, and 54.1% never physically lock their phone. Electronically locking phones happens even less frequently: 18% always or frequently lock their phone, 6.5% sometimes or rarely lock their phone, and 62.3% never electronically lock their phones. Information for PDAs is similar, with 29.1% physically locking their PDA always or frequently, 25.0% sometimes or rarely, and 45.8% never locking their PDA. The numbers for the PDA e-locking is closest to the phone e-lock rates, with 18% always/frequently, 8% sometimes/rarely, and 58% never electronically locking their personal PDA (see Table 3).

Table 3.  Physical and electronic locking of personal phones and personal PDAs (n = 67)

	Personal phone physically lock (%)	Personal phone electronically lock^a (%)	Personal PDA physically lock (%)	Personal PDA electronically lock^a (%)
Always (100%)	21.9	17.2	16.1	14.5
Frequently (75%)	3.1	1.6	6.5	0.0
Sometimes (50%)	7.8	1.6	11.3	3.2
Rarely (25%)	10.9	4.7	8.1	3.2
Never	51.6	59.4	35.5	46.8
Not applicable	4.7	3.1	22.6	19.4

Note: ^aSome devices were not capable of being electronically locked; therefore, not all columns equal 100%.

Discussion

As previously mentioned, the purpose of this study was to gain baseline information about the habits and experiences with mobile devices of our students, how they use their device(s), for what purposes, and their level of knowledge on how to protect information available through their mobile devices. It should be added that their responses also indicated for which purposes they would not use their devices. For example, while not many students are saving, viewing, or sending patient data via any personal or work mobile device, the student participants in this study had not begun the majority of their clinical rotations. Some respondents had devices that they reported were not patient data-friendly, although the numbers for accessing patient data via mobile devices may increase as students have more need to access patient data.

The scenario section of the MDQ posed some illustrations in which students may find themselves, and addressed possible purposes for which they may use their mobile devices. The scenario questions allowed respondents to provide (using a Likert Scale) how much of a concern they found each of the situations, but there were no follow-up questions as to why they rated their level of concern. Additionally, their clinical experience may influence their level of concern. Since they are familiar with writing up H&P information of patients, this may be a scenario with which they have already dealt, and may feel more confident in particular scenarios. The scenarios concerning social media (sharing on Facebook and YouTube) showed the majority of responses saw this as a privacy concern, even though the data was de-identified. The scenario where the phone was unattended for 30–60 min had responses pretty evenly spread across the five categories (strongly agree, agree, neutral, disagree, and strongly disagree), which means that not every scenario showed strong responses one way or the other, and there is definite room for discussion and education. Since many of these scenarios were provided from practicing health care professionals, these could be a relevant starting point for discussion. Additionally, the MDQ did not capture if these are scenarios students have experienced already or if this type of information is covered in their curriculum. Also, the survey was to gain baseline information mainly on student impressions of various situations, and did not ask them if they saw or experienced any of these situations. Obviously, since the Health Insurance Portability and Accountability Act (HIPAA) went into effect nationally in 1996, those HIPAA regulations now play a very big and important part in patient health information (PHI). However, the use of social media has opened up a whole realm of scenarios that relate to privacy and security that are not covered or addressed with HIPAA, and as noted in the Background, there are still very few medical schools that have policies surrounding the use of social media. Our students practice in a variety of hospital and outpatient settings, and the majority do not have policies regarding social media or specific policies on mobile device use. There are still many unanswered questions as to how situations are handled in differing institutions, although one paper gives an example of how a lapse (however unintended) in professionalism related to social media can be handled and have a positive outcome (Strausburg 2011).

The issue of protecting information available through mobile devices was sobering when looking at the locking of devices by students. The implications for a majority never locking their mobile devices, either physically or electronically, poses a definite issue to be addressed. By “locking” their mobile devices, we are referring to the physical locking of one's device in a locker or office while it is not on the person, in a place where others would need a key to get to that location. By electronically locking, we are referring to having to enter some sort of password, patterned keystroke, or other electronic lock that another person picking up one's phone would not be able to access the information in the phone. There are electronic locking features on phones, such as a sliding bar or moving a puzzle piece into place on a phone that may be considered “locking” the phone (usually so one's phone doesn’t accidentally dial), but those features would not prevent someone from picking up the phone and being able to easily access information in the phone. It is possible that there may be other levels of security in place, such as having to still log into email using a username and password, but many of these devices are saving this information to make it easy to access email. The ease of information access is one of the attractive features of mobile devices, but the risks of misplaced, lost, or stolen phones should be addressed.

Limits to the study

This study was done in conjunction with nursing students at the University of Pittsburgh; please see the paper by LaRue et al. (2011) published elsewhere for those study results. This initial study can represent a typical third-year medical school class, with results providing a baseline for other medical schools. Collaboration with like populations at other universities, as well as distributing this MDQ at our institution every year (or more frequently) to each cohort would keep this information up to date and usable in this age of new devices every few months and new apps consistently being released and updated (when the study was conducted, Android phones were just beginning to enter the market). The length and complexity of the MDQ was daunting and a restructuring of the MDQ may make it easier for the respondents and decrease their maximum time of 15 min to complete. Asking fewer questions about general mobile device usage and focusing on the security and privacy concerns may allow for further exploration on why students think a scenario poses a higher or lower concern. Additionally, very few controlled trials or systematic reviews exist that look at the educational impact and clinical impact for using mobile devices in an educational setting. This article adds to the individual studies that exist.

Conclusion

The findings from this article may be of interest to several groups within our medical school. Further education on this aspect of professionalism could be incorporated into the educational curriculum, using these (or similar) scenarios as discussion points that can then highlight the social media policy in place. Since this survey was targeted to third-year medical students because of their exposure to the clinical setting, the MDQ could also be valuable if also targeted to fourth-year students and residents. All of these groups are still involved in medical education programs, but also are far enough along in their professional career to be taking advantage of mobile clinical care tools.

Declaration of interest: The authors report no conflicts of interest. The authors alone are responsible for the content and writing of the article.

Appendix