Like most industries, healthcare relies heavily on computers, mobile devices, smartphones and tablets to manage the business of care. Whether it's finding the latest article about a medical breakthrough, ascertaining pertinent drug information, or communicating about patient treatment options, the speed and efficacy of these devices cannot be denied.
Mobile communication in the medical field, however, presents unique challenges. Patient-related information accessed from or sent to any mobile device needs to be protected and secured. But often it is not. Security is vital to maintaining patient confidentiality and it is required by the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act. In healthcare, significant data breaches can come in the form of lost or stolen patient information, which can lead to identity theft, Medicare/Medicaid or financial fraud, lost revenue, lawsuits, and fines from regulatory agencies.
What Causes a Data Breach?
Most everyone is aware of hackers, and we've all heard stories of identity theft and fraud, particularly with many high-profile data breaches at major retailers. But how and why do these breaches occur? Generally, they are the exploitation of human error. There is no such thing as a perfect piece of software code. Humans create the code, therefore invariably, there will be imperfections. Crafty hackers use these openings to corrupt, capture and leverage data for their own means.
Another cause is simple negligence. Short Message Service (SMS) text messages may be simple, fast, and direct, but they are not HIPAA compliant. They are not encrypted and once they are sent the message data is in the control of the carrier, not the doctor or the patient. Machine-to-machine devices allow doctors to monitor patients remotely through equipment that uses Wi-Fi or Bluetooth connectivity. But when these are connected over unsecured networks, patient data is vulnerable to attack because it can be intercepted.
Carelessness also can play a role. Data can be compromised when laptops or tablets are lost or stolen. Many times the data "sets" on laptops are not password protected or encrypted, leaving the information open for easy retrieval.
Other aspects that can factor into potential data breaches are server infrastructure in hospitals that are often are unencrypted; and Bring Your Own Device (BYOD), which can result in unsecure personal devices being used for work to access or exchange patient information.
Keys to Mitigating Risk & Protecting Patients
Healthcare organizations need three key elements to safeguard their patients' electronic protected health information (ePHI). One is a data breach backup plan. According to the Healthcare Information and Management Systems Society survey, 69% of health security professionals said their organization has a data breach plan in place. Another 27% said they were still developing a strategy. Certainly this is an area of concern, as more and more healthcare facilities begin to put the proper measures in place to mitigate these risks.
Another must-have is layers of reliable security measures, particularly when teleheath is utilized as a care model. To offer true security, all aspects of the mobile computing environment must be protected. The most effective way to secure ePHI on mobile devices is through two layers of security, a combined single sign-on and authentication management solution. There should be unique user IDs for accessing data, including user names and passwords, as strong password policies help to ensure the protection of critical patient data. Data should NEVER be exposed; it must be encrypted not only while "at rest" (on devices and servers) but also "in transit" between clients, mobile devices and servers. Network access must be controlled to prevent hackers from gaining access to ePHI. And finally, an audit trail of all users' and administrators' activities is useful to provide insight into who is accessing patient data, and for what purpose.
In the telehealth environment, for instance, there are front-line web servers that essentially deliver the "virtual" portion of the doctor-patient consultation. These servers should never store any ePHI. The API servers, i.e. the second line of servers, do store data, but they must be heavily protected with passwords and encryption, and offer several sets of keys to ensure double safeguards. In this example, there is segregation between the audio and video portion of the doctor-patient consult that resides on the Web servers, and the actual data that resides on the API servers. This, along with additional layers of security, limits exposure to data breaches.
Finally, finding third-party vendors that are HIPAA compliant is a must. With a HIPAA-compliant solution, health organizations can be assured that they can:
- Securely distribute and access patient information from a mobile device, specifically HIPAA-compliant messaging and voice and file transfer.
- Securely exchange ePHI between hospitals, clinics, and home care environments, from a tablet, laptop or other device.
- Transmit audio, graphics and video over industry-standard 256-bit Secure Socket Layer encrypted connections.
- Utilize multiple applications, including corporate, web, and cloud-based services, within a protected secure environment.
- Prevent access by unauthorized users or noncompliant devices.
To enable healthcare providers to make full use of time-saving, potentially life-saving technology without compromising patient information requires that they understand and evaluate the security risks associated with mobile devices and BYOD, and leverage a multi-faceted approach to safeguard ePHI.
The right solution enables safe and secure communications, which will enable providers to focus their time, energy and resources on what truly matters: the delivery of quality healthcare services. Healthcare organizations must take steps to protect their information and that of their patients as if lives depend upon it, because they do.
Guy Henggeler is General Manager for VirtuMedix TeleCommunication Systems, Inc. Bobby Park, MD, is a practicing board certified emergency medicine physician at Wake Emergency Physicians, PA, Raleigh, NC.