If you’re responsible for maintaining data security and privacy in a healthcare environment, you may look at the increasing use of mobile devices as a decidedly mixed blessing.
A recent mHealthNews article describes the benefits of mobile access and how it can provide compelling improvements in convenience, ease of use, and accuracy. That’s why so many clinicians and administrators now use smartphones, tablets, and notebook computers – whether hospital-issued or their own – as an everyday part of delivering care.
But this article also examines how offsetting those advantages are the new and daunting challenges that mobile access presents, in terms of the security of systems and data, and the privacy of PHI (protected health information).
Mobile healthcare devices, particularly if they are of the BYOD variety, may not be secured. Yet they have far-reaching capability to communicate both within your healthcare organization’s network, and beyond it. What better recipe could there be for inadvertent disclosure of protected patient information, or heightened exposure of your systems and data to bad actors?
Maintaining the balance
The tension between the high-level goals of improving access and maintaining security may be inescapable. But it is possible for hospital IT directors and compliance officers to strike a reasonable (and compliant) balance, by taking advantage of several tools and techniques already at their disposal:
Keep track of the touchpoints: Of course, it’s important to have an inventory of all the mobile healthcare devices that are involved in your organization’s delivery of care. But a related risk factor, too often ignored, consists of devices already on your network with which mobile devices communicate: specifically, multi-function printers (MFPs). Because MFPs can copy, scan, fax, and email documents – which could include PHI – the Department of Health and Human Services requires that they be protected with “administrative, physical and technical safeguards,” like other computing devices.
Replace paper forms with electronic versions: Paper, like the manual processing it requires, is not a good building-block for a secure infrastructure. Accessible on mobile devices, electronic forms can be pre-populated with patient information; have their patient information validated by a physician, via a database lookup; be sent with SSL encryption to a secure server; and be securely routed to the appropriate destination.
Teach mobile cameras to forget: Patient-related photos taken with a mobile device can be added to documents, but they should not remain in the device’s photo archive. Encourage clinical staff to set these images for automatic deletion, so that a lost or stolen device will provide no access to patient information.
Filter outbound communications for PHI: One way to intercept documents that should not leave your organization’s network is to identify them before they can be transmitted, and enforce the relevant security policy. Smart MFPs can be programmed to restrict fax transmissions to only approved numbers, or to automatically redact confidential information before sending.
Barcode for verification: In a hospital or clinic setting, the use of barcodes to continually identify and verify patient data can greatly enhance efficiency and compliance. Nurses or technicians equipped with mobile devices can scan their own barcoded ID badges, the patient’s wristband, and any medications (before administering), blood bags (before connecting), or food trays (before delivering). The result is assurance that all materials are associated with the right patient, and a time-stamped record of activity for the patient’s EHR (electronic health record).
As mobile devices are implemented in more healthcare settings – soon to include home health monitoring and telehealth – the risks of noncompliance or security breaches will also expand. By using tools and techniques such as those described here, you can strike the balance necessary to embrace smart mobile devices as a vital component of patient care.