Using mobile devices in the healthcare world offers many benefits, but it also present major risks when it comes to security. In this guest post, Gene Fry, VP of technology and compliance officer at a company that streamlines paper-intensive processes, and protects sensitive and business-critical information, provides a guide healthcare organizations can use to develop a culture of mobile security.
Mobile devices are transforming the way professionals communicate, collaborate and coordinate care in the healthcare setting. In addition to improving operational efficiencies, mobile devices have been proven to help speed up health outcomes and reduce length-of-stay. In 2016, a study of approximately 11,500 patients at two hospitals found that patients whose care providers used secure text-messaging as a means of communication had shorter lengths-of stay, compared to patients whose providers used paging systems.
While there’s no denying the potential benefits of mobile devices, their use remains a significant risk if improperly managed. Of the 260 major healthcare breaches reported by the U.S. Department of Health and Human Services (HHS) in 2015, close to 10% involved a mobile device. Statistics such as this only go to strengthen the argument that IT leaders and CIOs need to look carefully at both sides of the coin when considering implementing a mobile strategy within an organization.
The following steps are intended to guide healthcare organizations through the process of developing a culture of mobile security in such a way that allows them to realize the benefits, while keeping risks to a minimum.
Conduct a risk assessment
The single greatest mobile-related risk to a healthcare organization is a breach of protected health information (PHI). A breach of this nature, which would fall under HIPAA, can carry significant fines, as well as both civil and criminal penalties.
To avoid such scenarios, it’s vital that healthcare organizations take necessary actions to thoroughly assess their technology infrastructure for potential vulnerabilities, and evaluate how best to protect against identified risks. Conducting a security risk assessment, which is a key requirement of the HIPAA security rule, should identify the following information:
- every mobile device (both past and present) that has had any level of access to the organization’s internal systems, and
- the type of information that has been accessed, stored or relayed via mobile devices.
Use the right tools for the job
Text messaging and email are inherently risky, due to a lack of encryption around the data being shared between and stored on devices. Should a device wind up lost or stolen, any data that resides on the device itself becomes under threat.
Therefore, organizations that access, store, send or receive PHI on mobile devices should only ever carry out such tasks within the secure environment of purpose-built, HIPAA-compliant applications that ensure data remains safeguarded at all times. These secure solutions can help mitigate risks by encrypting information while in transit and storage, enabling users to control and invigilate how this information is accessed.
Secure all mobile devices
Security measures such as password and PIN protection are often a device’s first line of defense when it comes to keeping sensitive information out the hands of bad actors. This considered, all devices that come in contact with PHI must be adequately protected, via the following security parameters:
- multi-factor authentication
- password and PIN protection
- device encryption
- firewalls, and
- regularly updated software and applications.
This is particularly important within organizations that permit BYOD (Bring Your Own Device), where staff may be using the same devices for both professional and personal activities, increasing the likelihood of loss or theft.
Establish policies for mobile usage
Many security-related horror stories can be traced back to an internal source, such as an employee downloading an unauthorized mobile application, which in turn jeopardizes the security of all sensitive data stored on that device. More often than not, individuals don’t intend to cause harm by downloading non-secure applications or programs, but their seemingly innocent actions can introduce security vulnerabilities into the company’s IT infrastructure with potentially devastating consequences.
To avoid such scenarios, employers should establish clearly defined policies to encourage safe mobile usage, and ensure all staff are trained to comply with those policies, while also being made aware of any sanctions for violation.
Ideally, mobile policies should outline procedures for:
- remote disabling and wiping
- deletion of messages after a period of time
- password protection and access authorization, and
- downloading applications and files.
At the very least, healthcare organizations need to clearly define a list of acceptable and unacceptable actions, and formulate a response plan in case a device is lost, stolen or compromised.
Humans have always been, and will remain, the weakest link in the security chain, and the introduction of mobile devices into the healthcare workplace only accentuates this vulnerability. While the steps outlined above provide a good foundation for healthcare organizations to build upon, cracks will soon begin to show if staff aren’t adequately trained to identify and mitigate risks themselves.
The benefits of mobile technology should be embraced by the healthcare industry, not feared, but when the security risks remain so significant, that’s easier said than done.
Gene Fry is VP of technology and compliance officer at Scrypt Inc., a HIPAA compliant document management platform with built in faxing so users can store, share, sign and send PHI easily, and securely from any web browser. He holds the following certifications: HIPAA Professional, HIPAA Privacy and Security Compliance Officer, Electronic Health Record Specialist and Gramm-Leach Bliley Act.