Security, PHI and workflow: The why’s and how’s of ensuring smart mobile device deployment

It sounds like a scenario from a Hollywood movie: hackers encrypt a hospital's records and won't reveal the encryption key until the hospital pays an untraceable ransom of 40 bitcoins.

Unfortunately, even though the target of the attack – Hollywood Presbyterian Medical Center – is located in the epicenter of the film industry, this is not a scenario from a screenwriter's imagination, but directly from the headlines. Faced with precious little choice, the hospital payed the ransom (equivalent to $17,000 at the time); after all, the information contained in medical records is sacrosanct, and when breached, can be used in countless ways to inflict harm on patients and the medical facilities that serve them.

As dramatic as the Hollywood Presbyterian case is, attempts to gain access to medical records are a well-documented and growing problem. With increasingly more healthcare facilities relying on mobile- and tablet-based record keeping methods, the risk of security breaches is also on the rise.

The good news is there are several effective countermeasures available to prevent breaches, which we'll get to in a moment. But first, I want to share a shocking statistic: the recently released results of the "2016 HIMSS Cybersecurity Survey" indicate that only 57.1 percent of acute care providers and 41.9 percent of non-acute care providers are using intrusion detection systems (IDS), which alert hospital IT staff when data is being compromised. The report spells out the consequences of this industry-wide failure to secure often sensitive data in clear, stark terms: "a provider may continue to be unaware that a potential intrusion, breach, or attack has occurred until the damage has been done."

I don't mean to startle providers who have not implemented an IDS, but the truth is, the patient data they have on file may be more vulnerable than they think. I understand that they are dealing with a laundry list of patient privacy and HIPPA and are struggling to keep up with a complex mix of new and existing compliance rules, oftentimes on small budgets and with a lack of dedicated staff. Nevertheless, I implore healthcare technology leaders that may be reading this article to consider making the changes required to minimize the risk of a harmful security compromise. Due to the timeliness of the HIMSS report, I would like to focus on mobile device management and how to take steps to best prevent a device breach.

Covering your Covered Entity

It's clear that once security is compromised, the aftermath can get ugly, quickly. The federal government implemented the Health Information Technology for Economic and Clinical Health (HITECH) Act in February 2009 to not only stimulate the adoption of electronic health records (EHR) and supporting technology, but to also create a penalty scheme for patient health information (PHI) breaches for covered entities.

It's important that healthcare organizations understand their level of culpability when it comes to civil penalties under HIPAA and enforced by HITECH. Penalties range from up to $50,000 in fines for first offenses and a whopping $1.5 million for repeats of the same offenses. It only takes one exposed device to put an entire organization at risk. According to the Department of Health and Human Services, the HIPAA Security Rule outlines national standards designed to protect electronic PHI that is created, received, used, or maintained by a covered entity. Therefore, covered entities must be diligent when deploying a mobile strategy that best protects their organization because they are accountable for the actions of their workforce.

Despite these severe penalties, many in the healthcare sector still do not have adequate safeguards to secure PHI. To prove my point, I refer again to the 2016 HIMSS Cybersecurity Survey mentioned above: nearly a third of hospitals transmit unencrypted patient data. As an IT professional, not to mention a patient, I want to encourage administrators to contact a mobile device vendor that understands these complex issues, and has a wide-range of expertise in solving them.

Don't Get Overwhelmed, Initiate Best Practices

To ease the burden on providers who may not know where to begin, I'd like to propose three focus areas to address when evaluating mobile device vendors in your quest to become more secure:

1. Encryption
Facilities need to ensure that all data is encrypted at all times. This includes email and message data, as this information can be accessed by hackers without the employee ever realizing it. If you're not encrypting data now, make this your top priority. Review your organization's mobile device strategy and ensure your devices are designed for encryption. Partner with a vendor who has expertise and is fluent in industry best practices; encryption is one of the most critical security practices to block prying eyes from PHI.

2. Authentication
One of the biggest concerns healthcare providers face is ensuring that devices have adequate accessibility controls. One way to accomplish this is through biometric authentication, but not all biometrics are practical for healthcare deployment. However, Fujitsu PalmSecure, a palm vein authentication technology, is optimal for clinicians wearing gloves, as they are still able to access systems on their device without contaminating the surface. There are a number of devices equipped with this technology to suit the unique requirements of each provider. How does your vendor rank in this category?

3. Protocol and Policy
Healthcare organizations need to develop practical, scalable and measurable protocols that complement staff behavior to lead to optimal compliance. BYOD and clinician preference is often a challenge, yet it is imperative that your organizational policy is clear and visible to prevent any workarounds that could put your organization at risk. You'll want to ensure that any vendor you work with will be more than just a seller of devices and services, but a trusted partner that can advise you on your journey to compliance. There is a reason vendor partners have to comply with regulations as business associates. They really are your associates who are available to support and guide. Don't be shy about leveraging their expertise.

The number one objective of any healthcare organization is quality patient care. To best achieve this objective, they must be wise in developing a smart and manageable mobile device strategy. I encourage all providers to take note of this timely HIMSS survey and address any protocols in their organization that may present a risk. As technology evolves, sophisticated hackers have found ways to remotely access mobile and tablet devices. By strengthening protocols and policies, practitioners and employees will have an understanding of how they can effectively ensure that PHI is secure. This paired with encrypting data and adding a layer of biometric authentication prevents qualitative and quantitative losses and protects your organization's integrity, reputation and sensitive data.

Kevin Wrenn is SVP of PC Business for Fujitsu America. Contact him through Twitter @FujitsuAmerica

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.​

© Copyright ASC COMMUNICATIONS 2017. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months