Smartphones and their mobile applications have changed many individuals' lives because of their vast capabilities and remote functions. Physicians, nurses and clinical staff are not immune to the growing prevalence of mobile devices in daily life, especially since many mobile applications are tailored to healthcare and increasing efficiency of care. Mobile health can also be critical for transitioning to new care delivery models and better patient engagement, giving physicians and nurses even more incentive to incorporate mobile devices into their work.
However, mobile health can be risky. Thousands of phones get lost every day. If a physician or a nurse lost their mobile device and somehow the finder could access a patient's health information or even the healthcare organization's EMR system, the potential for a data breach would rise. Additionally, many people are not putting passwords on smartphones and tablets or they are using insecure pins and passwords. Physicians and hospital staff are no exception. They may not follow security measures as strictly as they should, especially if they use their personal phones.
To determine how risky losing a smartphone could be, Symantec, a provider of security, storage and systems management solutions, intentionally lost 50 smartphones. Before they lost the phones they placed a collection of simulated corporate and personal data on them. The phones were equipped with software that allowed Symantec to monitor how the phones were used once they were found. The smartphones were dropped in five different cities: New York City; Washington, D.C.; Los Angeles; San Francisco and Ottawa, Canada. They were left in high traffic public places such as elevators, malls, food courts and public transit stops.
The findings from the study include:
• Ninety-six percent of the smartphones were accessed by their finders.
• Nearly half of the finders tried to access the phone owner's bank account.
• Six out of 10 finders attempted to view social media information and email.
• Eight out of 10 finders tried to access corporate information including files marked as human resource salaries, human resource cases and other corporate information.
• Fifty percent of the individuals who found the phones made an attempt to return them.
Although the amount of access finders attempted on the smartphones may have been out of curiosity, the findings from the study show that even if individuals are good intentioned they may stumble across information they should not see. The researchers point out that a password on the phone and an ability to remotely wipe the data off the phones once lost would have prevented a finder's access to personal information. While the data from the study focused on personal and business information, the implications for healthcare are obvious. There is no turning back time on technology; the trend of storing information on cloud servers and using mobile phones via mobile health is going to continue. According to David Finn, health information technology officer at Symantec, the healthcare industry cannot let technology advance farther than policy and procedures. "We have to protect the data. We know what the procedures and policies should be. We just need to enact them."
According to the report, "Introducing the Symantec Smartphone Honey Stick Project," there are steps organizations can take to ensure mobile devices and sensitive information remain protected:
1. Develop and enforce strong security policies for employees using mobile devices for work; this includes requiring password-enabled screen locks. Mobile device management and mobile security software can aid in this area.
2. Focus on protecting the patient information as opposed to focusing solely on devices. Securing the information itself ensures its safety no matter where it is exchanged.
3. Take inventory of the mobile devices connecting to the hospital or health system's networks.
4. Have a formal process in place so that everyone knows what to do if a device is lost or stolen. Mobile device management software can help automate such a process.
5. Integrate mobile device security and management into the overall enterprise security and management framework and administer it the same way. In essence, treat mobile devices as enterprise endpoints, if they belong to the enterprise or if they contain enterprise data.
Additionally, hospital and health systems should educate their employees about the risks associated with mobile devices. They can also encourage employees to use the following best practices with their mobile devices.
• Use a screen lock. A screen lock is a basic security precaution and requires minimal effort but it can provide a critical barrier between personal information and a stranger. Remind hospital staff that a screen lock should be secured with a strong password or a "draw to unlock" pattern commonly found on smartphones.
• Use special smartphone software. Use security software specifically designed for smartphones. Such tools can stop hackers and prevent cybercriminals from stealing information or spying on users when using public networks. In addition, security software can help locate a lost or stolen device and even remotely lock or wipe it.
• Keep a close eye on the smartphone. When traveling around the hospital, physicians and nurses should make sure that their mobile devices remain nearby and are never left unattended, being mindful of where they put devices at all times. It is also a good idea to make sure that they can differentiate their device from others that might be sitting in the immediate vicinity by adding distinguishing features, such as a sticker or a case.
According to Mr. Finn, one of the most effective methods for improving security at a hospital or health system is focusing on employee education and training. Employees are not ill intentioned when it comes to their patients' health information. They will want to protect the data, and they could be a second line of defense against data breaches.
Mr. Finn offered an interesting analogy: Individuals do not leave their homes for the day without locking the front door. Yet, they will load up their computers and smartphones with personal and patient information but they will not password protect it. Failing to protect that information is very similar to leaving the front door unlocked and could cause costly damage to a healthcare organization. "No one in the hospital or health system should leave the door unlocked to protected health information," says Mr. Finn.
7 Ways to Secure Physician Text Messages
Going "Social": Monitoring and Addressing HIPAA violations on Social Media
However, mobile health can be risky. Thousands of phones get lost every day. If a physician or a nurse lost their mobile device and somehow the finder could access a patient's health information or even the healthcare organization's EMR system, the potential for a data breach would rise. Additionally, many people are not putting passwords on smartphones and tablets or they are using insecure pins and passwords. Physicians and hospital staff are no exception. They may not follow security measures as strictly as they should, especially if they use their personal phones.
To determine how risky losing a smartphone could be, Symantec, a provider of security, storage and systems management solutions, intentionally lost 50 smartphones. Before they lost the phones they placed a collection of simulated corporate and personal data on them. The phones were equipped with software that allowed Symantec to monitor how the phones were used once they were found. The smartphones were dropped in five different cities: New York City; Washington, D.C.; Los Angeles; San Francisco and Ottawa, Canada. They were left in high traffic public places such as elevators, malls, food courts and public transit stops.
The findings from the study include:
• Ninety-six percent of the smartphones were accessed by their finders.
• Nearly half of the finders tried to access the phone owner's bank account.
• Six out of 10 finders attempted to view social media information and email.
• Eight out of 10 finders tried to access corporate information including files marked as human resource salaries, human resource cases and other corporate information.
• Fifty percent of the individuals who found the phones made an attempt to return them.
Although the amount of access finders attempted on the smartphones may have been out of curiosity, the findings from the study show that even if individuals are good intentioned they may stumble across information they should not see. The researchers point out that a password on the phone and an ability to remotely wipe the data off the phones once lost would have prevented a finder's access to personal information. While the data from the study focused on personal and business information, the implications for healthcare are obvious. There is no turning back time on technology; the trend of storing information on cloud servers and using mobile phones via mobile health is going to continue. According to David Finn, health information technology officer at Symantec, the healthcare industry cannot let technology advance farther than policy and procedures. "We have to protect the data. We know what the procedures and policies should be. We just need to enact them."
According to the report, "Introducing the Symantec Smartphone Honey Stick Project," there are steps organizations can take to ensure mobile devices and sensitive information remain protected:
1. Develop and enforce strong security policies for employees using mobile devices for work; this includes requiring password-enabled screen locks. Mobile device management and mobile security software can aid in this area.
2. Focus on protecting the patient information as opposed to focusing solely on devices. Securing the information itself ensures its safety no matter where it is exchanged.
3. Take inventory of the mobile devices connecting to the hospital or health system's networks.
4. Have a formal process in place so that everyone knows what to do if a device is lost or stolen. Mobile device management software can help automate such a process.
5. Integrate mobile device security and management into the overall enterprise security and management framework and administer it the same way. In essence, treat mobile devices as enterprise endpoints, if they belong to the enterprise or if they contain enterprise data.
Additionally, hospital and health systems should educate their employees about the risks associated with mobile devices. They can also encourage employees to use the following best practices with their mobile devices.
• Use a screen lock. A screen lock is a basic security precaution and requires minimal effort but it can provide a critical barrier between personal information and a stranger. Remind hospital staff that a screen lock should be secured with a strong password or a "draw to unlock" pattern commonly found on smartphones.
• Use special smartphone software. Use security software specifically designed for smartphones. Such tools can stop hackers and prevent cybercriminals from stealing information or spying on users when using public networks. In addition, security software can help locate a lost or stolen device and even remotely lock or wipe it.
• Keep a close eye on the smartphone. When traveling around the hospital, physicians and nurses should make sure that their mobile devices remain nearby and are never left unattended, being mindful of where they put devices at all times. It is also a good idea to make sure that they can differentiate their device from others that might be sitting in the immediate vicinity by adding distinguishing features, such as a sticker or a case.
According to Mr. Finn, one of the most effective methods for improving security at a hospital or health system is focusing on employee education and training. Employees are not ill intentioned when it comes to their patients' health information. They will want to protect the data, and they could be a second line of defense against data breaches.
Mr. Finn offered an interesting analogy: Individuals do not leave their homes for the day without locking the front door. Yet, they will load up their computers and smartphones with personal and patient information but they will not password protect it. Failing to protect that information is very similar to leaving the front door unlocked and could cause costly damage to a healthcare organization. "No one in the hospital or health system should leave the door unlocked to protected health information," says Mr. Finn.
More Articles on Mobile Health:
Mobile App Helps Physicians Communicate "On the Go"7 Ways to Secure Physician Text Messages
Going "Social": Monitoring and Addressing HIPAA violations on Social Media