Healthcare providers are often paranoid that rogue actors or ransomware might attack and attempt to take control of their hospital's IT network.
While this scenario could become a reality, a far more likely scenario is the loss of mobile devices by healthcare and support workers. Indeed, these mobile devices – often personal devices at that - used by workers at hospital and clinics account for over 2/3rds of breaches. According to Becker Hospital Review research, 85% of healthcare workers bring their own devices to work and according to Accellion, 68% of healthcare security breaches were due to the loss or theft of mobile devices or files.
Further complicating the issue is that hospitals are still responsible for the security of personal devices brought to work, even though they are not the owners. And, as individuals increasingly bring their own devices to work, hospitals and clinics can no longer just secure the perimeter of their own IT system. Indeed, hospitals and clinics that run afoul of HIPAA regulations can receive a hefty penalty of $1.5 million per data breach per incident.
How should hospitals respond to these competing realities of increased use of personal devices and increased security threats? What policies and procedures should healthcare entities create to ensure the safety of patient data and the long-term reputation of hospitals? How can hospital officials create sound policies that maintain HIPAA compliance while at the same time ensuring healthcare is not stymied by extensive regulations? Read on.
BYOD is not the culprit
Given the prevalence of BYOD in healthcare, some might advocate going back to the time when only workplace issued devices were used. Today, it is common to find patient data inside personal devices, either mixed in with random notes or accessible via consumer apps used for work. As such, when employees lose or get their mobile devices stolen, hospital data is lost as well.
But eliminating BYOD is futile. According to one source, the mistake is in trying to prevent further BYOD implementation. Indeed, BYOD is a cost cutting measure used by many organizations. BYOD also benefits healthcare because it acknowledges the fact that people are going to bring their own device and seek to use them in their work, as well as their personal life. Furthermore, healthcare providers can't really afford to give a smartphone to everyone who would benefit from the device.
The real culprit is seen in poor mobile device hygiene. Often the mobile devices being used lack encryption or suffer from poor password management. In addition, employees have a tendency to leave their mobile device vulnerable such as forgetting them on the backseat of a car or on a desk or in a coffee shop or in other vulnerable locations. In these instances, the devices are often the object of theft. At this point, the issue is no longer BYOD.
Need for an immediate response plan
The real issue that surfaces with the theft of devices is the lack of encryption on the devices and the lack of a plan to manage the loss of data that comes from lost devices. While most iPhones are encrypted, only 10% of Android phones are. This past July, Catholic Health Care Services (CHCS) of the Archdiocese of Philadelphia was fined $650,000 to settle HIPAA violations connected to the theft of a CHCS-issued employee iPhone in a business associate-related incident from 2013. The phone contained protected health information for 412 people in six separate CHCS nursing homes. The phone was unencrypted and had no password protection.
Adding to this calamity, the Office for Civil Rights says CHCS made no systematic effort to assess risks to potential health information and had no plans for how it would respond to a data security incident. Also, at the time of the theft, CHCS had no policies in place to determine the correct actions or what to do in the case of theft or loss of a device. There were no procedures detailing what to do in the case of a security incident.
While CHCH's case might seem shocking for its mishandling, it is far from unique. Healthcare organizations and their partners need to do a much better job of installing encryption methods and requiring passcodes on mobile devices. Encryption needs to be required, whether data is in transit or in storage. IT administrators need to have the ability to remotely wipe data on lost or stolen devices.
HIPAA regulations require that organizations protect against reasonably anticipated, impermissible uses or disclosures. Enterprises should be able to remote-wipe messages on the device in case it gets lost or stolen. If these regulations were adopted, many of the breaches that we read about would be avoided.
The checklist manifesto
For healthcare organizations to effectively manage and act upon the news of lost devices, they need to have a plan or checklist they follow. By minimizing the time between the actual loss or theft of the device and apprising appropriate officials, healthcare organizations can minimize the impact of the loss. Effective management requires encryption, employee training and an incident response team.
1) Make sure HIPAA guidelines extend to all mobile devices used at your hospital or clinic. HIPAA doesn't just mean securing your desktop computers and servers.
2) Make sure that all patient-related communications are HIPAA compliant. That means, communications in transit and at rest are secure.
3) Make sure that on-call messaging is also secure and HIPAA compliant as these communications often contains patient information.
4) Make sure smartphones have passcodes enabled and all patient sensitive communications on the device can be remotely wiped.
5) Provide staff with defined training and procedures to follow if their smartphone is lost or stolen. Who should doctors or healthcare officials contact at the hospital or clinic?
6) When IT officials have been contacted about the loss, what procedures should they follow? It is extremely important to identify roles and responsibilities within the organization and what must be done by whom when theft is suspected.
Conclusion
The demand for BYOD is increasing and organizations arefaced with increasing pressure to allow BYOD. However, organizations need to be careful to ensure that communications regarding patients are encrypted and met the mandates of HIPAA requirements. By using remote wipe policies, password protection and a defined action plan it becomes much easier to maintain the health of mobile devices.
BYOD doesn't have to impede the flow and effectiveness of healthcare and healthcare IT. Just make sure you have a plan in place.
About the author:
Orlee Berlove is the Marketing director at OnPage Corporation located in Waltham, MA. OnPage is a cloud-based critical alerting and management system that elevates critical notifications so they continue to "ALERT-UNTIL-READ". Incidents can be programmed to arrive to the person on-call and can be escalated if they are not attended to promptly.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.