- The increase in mobile devices, including smartphones and tablets, has also created a greater need for BYOD security policies and mobile device management (MDM) policies for healthcare organizations.
Moreover, that proliferation of mobile devices in the healthcare community has impacted the sector on several different levels, according to attorney K Royal. Patients, employees, and covered entities themselves will all be feeling the effect of the technological push.
Smartphones, for example, can now hold so much data, added Royal, who is also currently CellTrust Assistant General Counsel Vice President.
“Not to mention, being able to get calls, texts, and emails on your phone. Doctors are actually getting health information via emails and opening them on their cell phones,” she explained. “It may be automatically uploaded to a cloud platform. It starts getting really complicated and really broad when you start looking at how many different ways mobile devices can impact medical care. Both for good and for bad.”
In terms of employees, they need to be careful not only in ensuring that their devices are secure, but that they are using them in secure ways.
For example, Royal said that a healthcare provider employee may take a picture of a patient with a broken leg in the emergency room and then post it to a social media page. Unless there’s a distinguishing mark on the leg, it’s not sharing identifiable patient information. However, there still needs to be medical confidentiality and dignity.
One of the biggest complications with BYOD security and MDM polices though is with data breaches through lost or stolen devices.
A key thing to remember, according to Royal, is that a device should not be considered lost from the time that it is reported missing. Rather, a phone or tablet should be considered lost from the last time that an employee absolutely remembers having it in their possession.
Even if there is remote wipe capability and a sound MDM plan in place, the time that a device goes missing could lead to security issues.
“From a legal perspective, that breach occurred at the moment that person last saw the phone,” she stated. “And some states have an acquisition only breach notification requirement, which means that anyone who picked up that phone, it is now a breach. It doesn’t matter if they actually accessed the information.”
Healthcare employees also might not realize how much sensitive information they actual have on their mobile devices.
“People may tell you, ‘Well I didn’t have any patient information on my phone.’ I have never found that to be true,” Royal maintained.
Anything from emails to text messages to phone logs could reveal sensitive information. If not patient data, then a device may have had corporate trade secrets, she added. Billing information, company agreements, or even descriptions of business partnerships could all lead to security issues if lost or stolen.
“I have never found a phone that never had confidential information on it,” Royal said.
Mobile security and OCR HIPAA audits
The recently announced second round of OCR HIPAA audits have many healthcare organizations “terrified,” according to Royal.
“They really don’t know how to appropriately, efficiently, and effectively address the mobile device component of that,” she explained.
Text messaging specifically is a top issue, as covered entities are often unsure how to archive texts. Secure messaging is still an emerging technology, and healthcare companies might not know how to approach that, she said.
“You can tell your employees all you want, ‘Don’t text, don’t text, don’t text,’ but they’re going to text.”
It can also be tricky in terms of patient access to their medical information, Royal stated. OCR explained that organizations have to make it easy for the patient. It must be comprehensive and delivered in a way that the patient is asking for it.
“What if a patient texts their nurse and says, ‘I want a copy of my records?’ That’s an official request for accessed information, and you have to have a way to be able to track that and deliver on it.”
Maintaining strong medical device security
Medical device security is a third area that is increasing in importance for healthcare data security, Royal cautioned.
The recent FDA draft guidance is beneficial, but it also adds to the complexity of the issue of medical device security.
“Last year, the US Senate sent an FDA inquiry letter asking how does it make a policy off of draft guidance where 10 years can go by but that they don’t finalize it? They’re using that draft guidance to clear medical devices through the FDA process.”
CynergisTek, Inc. co-founder and CEO Mac McMillan had similar misgivings, explaining in an earlier interview that the guidance was a step in the right direction but that it was a small step.
“Cybersecurity in and of itself is a big issue with everybody in healthcare right now, and everybody is recognizing that we just can’t continue to allow these devices to go on the way they have been. We need to do a better job.”
Overall, healthcare organizations must be mindful of how they are integrating new technologies into their environment.
Always have a watchful eye with sensitive information
Royal underlined the point that those in the healthcare industry, especially individuals in privacy or security areas, or who maintain sensitive data, need to be aware at all times.
Even privacy people can be stupid from time to time. For example, accessing public networks in airports, hotels, or at a conference is not always wise. This is especially true if sensitive documents are being accessed.
“Even people who are highly aware of privacy and security don’t always think through the practical steps of how this applies to us, especially when we’re on the move,” Royal warned. “That’s something that’s going to come back to bite us. Our phones are smart; we might not be.”