Mobile devices and bring your own device (BYOD) policies are quickly changing the landscape of healthcare facilities. The number of these devices in facilities is growing rapidly as well as the production and diversity of mobile devices overall. This movement is expected to help curb the cost of healthcare processes (which are steadily rising), improve the productivity of staff, and to decrease the number of errors in entered data.
For the longest time technology in healthcare, and everywhere else, was limited to desktops and workstations. Over time, there was a move to computers on wheels (COWS) which was meant to add more mobility. This allowed nurses and doctors to travel from station to station or room to room and be able to access all necessary applications and records. The only problem with the COWS was their cumbersome nature. They were mobile, but they were bulky, heavy and had lots of wires all over the place. The final COW killer was the increasing popularity of laptop computers which came on the market shortly after. Then, as we all know, came smart phones, iPads, and other tablets, which really brought on a rapid change. Mobile devices allow greater access to information and patient records, and increase productivity. They also allow patients to be more connected to their health, manage their health through apps, and have more connectivity to their health providers (doctors, nurses, records, insurance, etc.).
Assessment of Risk and Security
Mobility in healthcare faces some tough challenges and security is at the top of the list. Security procedures are driven by HIPAA and HITECH compliances and are highly regulated. It is important to make sure that the devices are compliant and that the users are compliant, with special focus on access to devices and security of patient records. There also needs to be systems in place to log the information accessed and to track certain devices in case of theft. These and all other considerations must meet the requirements of the HIPAA and HITECH acts due to the access of patient records as well as the potential that these records could be exposed externally. Failure to adhere to these compliances and strict government regulatory requirements will result in severe monetary penalties and damage to the provider’s image.
The overall purpose of these solutions is to provide security to the mobile network over a variety of devices owned by the facility or by the staff. This includes the distribution of and upkeep of apps, data configuration and management, loss and theft management such as remote wiping and locating, and end-point security. End-point security is often an overlooked aspect in the overall strategy, but should be one of the more important. The most common end-point solution is to wipe the phone clean using a factory reset or a wiping program that is able to only delete company information and apps. The latter is used for user provided devices. The only problem with this is, most data can still be recoverable even after a full restore or wipe has been performed. The only true way to ensure that no data is present is to physically destroy the device. Once a person has resigned the device should be turned over to the facility to be logged, stored in a secure container, then destroyed onsite. This ensures that data does not leave the facility on a device that has been taken off network.