Gaining control of PHI vulnerabilities in a mobile health world

The growing use of smart devices at the point of care deepens the challenges hospital IT directors and compliance officers face in making patient health information more readily accessible and shareable while also safeguarding its security. Unfortunately a recent study showed that of those organizations who allowed staff to use personal devices to connect to the enterprise network, 54 percent lacked confidence that those devices could be made secure.
By
Mobile devices present challenges for protecting PHI

Many hospitals share their information at the point of care on a variety of mobile devices, including both hospital-issued and physician-owned smartphones, tablets and notebook computers. According to a study by the data security and privacy research organization, the Ponemon Institute, 81 percent of healthcare organizations said they already use smart devices to collect, store and transmit some form of Protected Health Information (PHI). Yet 49 percent of those respondents said they do nothing to protect these devices.

 

Smart Devices: Ease Information Access but Add Security Vulnerabilities

 

The growing use of smart devices at the point of care deepens the challenges hospital IT directors and compliance officers face in making patient health information more readily accessible and shareable while also safeguarding its security.

Another Ponemon Institute study determined that of those organizations who allowed staff to use personal devices to connect to the enterprise network, 54 percent lacked confidence that those devices could be made secure. Consistent with Ponemon research, HIMSS Analytics found in a survey that only 54 percent of hospitals were yet capable of protecting electronic health information, a required EHR Core Objective in both Stages 1 and 2 as established by the Centers for Medicare & Medicaid Services (CMS).

While hospitals take advantage of CMS incentives, they face significant risks and fines if not compliant with the Health Insurance Portability and Accountability Act (HIPAA) rules for securing PHI. In its Final HIPAA Omnibus Rule in 2013, the Department of Health and Human Services Office of Civil Rights increased the penalties for noncompliance, in four categories of negligence, with a maximum penalty of $1.5 million per category per year — $6 million if a hospital were to be fined the maximum in all four categories. To date, HHS has issued over $28 million in fines for HIPAA security breaches.

A key risk factor for noncompliance is that there are too many touch-points when sharing PHI inside and outside of the hospital.  For example, mobile devices can send output to smart multifunction printers (MFPs) that not only print, but allow walk-up users to copy, scan, fax and email documents. These capabilities helped convince the Office of the National Coordinator for Health Information Technology to define MFPs as workstations. This designation is important as all workstations much protect PHI with administrative, physical and technical safeguards that authenticate users, control access to workflows, encrypt data handled on the device and maintain an audit trail of all activity.

 

Reaching previously impossible levels of accuracy and information quality

 

Let’s look at an example of how leveraging both mobile devices and MFPs can improve information accuracy and quality. Clinicians and nurses at a hospital can use a mobile device to capture photos and barcode data, electronically sign forms, and automatically route a document image, metadata, time and date stamp or geo-location information on any point of care activity. They then route that information securely to the hospital’s electronic health records (EHR) system, document management software or any line of business application – with forms electronically completed and securely printed on networked MFPs. Using a mobile device that activates a “touch free” release of the document reduces risk of exposing information left unattended at the printer.

In this scenario, physicians receive electronic requests for orders or referrals they review and sign on their mobile devices, wherever they are. In this case, the physician receives the document as a secure email attachment. After opening it, the physician simply chooses “MD Signature” — or whatever label the hospital might apply to the activity — to sign the document with a user-authenticated signature. The signature is permanently burned onto the form, creating a HIPAA-compliant HL7-based audit trail.

 

Deploying a more secure healthcare infrastructure

 

Hospitals should reduce paper and error-prone manual processing by replacing paper forms with electronic versions. Accessible on mobile devices, electronic forms can be pre-populated with patient information pulled from the master patient index or completed with the help of interview questions or drop-down menu choices. Physicians validate patient information with a database lookup, further increasing accuracy. Clicking “submit” sends the form via secure SSL encryption to a secure server, where it is securely routed to its appropriate destination. For further confirmation and verification, the physician receives a receipt by email with an attached copy of the form they completed and signed.

Photos taken with a mobile device’s camera can be added to documents, but they don’t remain on the photo collection. Instead, these images are automatically deleted, so that a lost or stolen device provides no access to patient information.

Automatically enforcing security policies prevents loss of confidential data by filtering outbound communications for PHI content, controlling every attempt to send information and intercepting documents that should not leave the hospital network. Fax transmissions from smart MFPs can be restricted to approved numbers, eliminating delivery errors. Confidential information is automatically redacted before sending the fax, or the transmission is prevented from sending.

Back at the bedside, support for barcode identification and verification reduces errors, while improving process efficiency and cost-effectiveness. Nurses or technicians equipped with mobile devices can scan their own bar-coded ID badges, the patient’s wristband and any medications, blood bags or food trays before they are administered, connected or delivered. This assures all materials are associated with the right patient and creates a time-stamp of the activity in the patient’s EHR.

 

Deploying smart mobile technology to gain control

 

While hospitals are deploying mobile technologies to deliver more efficient point-of-care to patients, these technologies continue to provide security and compliance challenges. Non-compliance risks can be significantly reduced by implementing a flexible and scalable approach that adds a layer of automated security and control to both electronic and paper-based processes. By taking these security steps, hospitals can confidently embrace the expansion of smart mobile devices in their patient point-of-care processes.

Read our whitepaper: Securing healthcare information at the point of care

Learn more about how Nuance Document Imaging solutions can help protect PHI

Download

Tags: , , , ,

Chris Strammiello

About Chris Strammiello

Chris Strammiello directs the worldwide Marketing and Global Alliances for Nuance’s Document Imaging Division. Under his leadership, the division transformed from solely a desktop software focus to the document imaging industry's most complete product portfolio of desktop, enterprise and OEM offerings. Strammiello has played a strategic leadership role in the merger & acquisition and integration strategies behind Nuance adding eCopy, XSolutions and Equitrac, helping the business unit quadruple its annual revenue. Previously, Chris was Director of Product Management for Nuance's Productivity Division where he successfully drove growth and expansion of speech and imaging technologies. He came to Nuance in 2000 from Xerox Corporation where he held a variety of marketing and strategy positions. Chris holds a B.S. in Marketing from the University of Connecticut.