Tag Archives: data breach

BYOD Healthcare Policy

Are BYOD Policies in Healthcare a Mistake?

“BYOD” stands for “Bring Your Own Device,” and its potential implementation is a conversation being had in many workplaces, schools, industries, and hospitals.

In theory, it’s an effective cost-cutting measure: everyone is walking around with an advanced, mobile touchscreen computer in their pocket at all times. Why not leverage that ubiquitous technology, all the while saving the business some money on buying medical tablets for every employee?

While BYOD policies sound great on paper, are they actually effective? Do they do more harm than good?

Personal Devices Are a Hornet’s Nest of HIPAA Violations

The greatest flaw in any BYOD policy is almost always security — how do you ensure that the phone a staff member carries at home, at work, and out to the club is protected? How can you guarantee that the employee is always logging out of work applications, especially if they take work home with them as part of their job? Lines become even blurrier, and confidentiality suffers.

Imagine a doctor or nurse snaps a quick picture of an injury on their cell phone for later reference or sends it to another clinician for a second opinion. Even if the patient consented to this, is the text message software secure? Is the receiving phone or device secure? What happens if either is hacked or stolen?

Are all pictures snapped by the phone automatically backed up to the cloud? Some users may not realize this happens automatically, depending on the phone’s settings. Is the staff member’s Dropbox or iCloud shared with anyone else? How encrypted is it? What other, non-secure device is the cloud service backing up to? A home computer, a bedside iPad, a husband or wife’s laptop?

Of course, this doesn’t just apply to images. Ask yourself all of these questions regarding a text or email about a patient’s condition or personal details to another clinician. Think about what note-taking software is being used on the phone, and where that’s stored. Some staff members may record their thoughts or case reports into a phone recorder app, which may be backed up to the cloud or other, less secure devices.

Does the user even have a password on their phone or tablet? According to the “Consumer Security Risks Survey” from Kaspersky Labs, only half (53%) of mobile users have a security solution installed on their smartphones. And 20% weren’t even aware that mobile malware existed.

Each one of these avenues is a potential HIPAA violation, which can cause an individual or a branch thousands of dollars in fines and potentially more in active lawsuits.

Consider the Liability

Mobile devices get stolen or misplaced all of the time. Unlike dedicated hospital medical tablets,  a staff member’s personal cell phone or tablet is going home (or out) with them. And considering that 44% of smartphones were stolen in public places, and 14% from burglarized houses, the odds of losing their phone increase dramatically if they take it from the workplace.

If the device gets dropped or stolen at work, is the hospital liable? If the policy requires that staff bring their personal devices instead of using hospital-provided medical computers and medical tablets, there’s an argument that could be made. An argument that probably would be made, by an attorney.

Before implementing a BYOD policy, make sure employees know what’s required of them and what the liabilities are. Having employees sign documents that codifies this policy — to legally protect the hospital — will be job one.

Can Personal Devices be Managed by IT?

The IT department at a hospital or medical office (or, really, any facility or industry) performs a whole host of important jobs.

They maintain computer hardware and software, set up and manage the network, and ensure that data is protected and secure, just to name a few.

Devices that are officially owned by the hospital can all be managed with IT network software. Hospital or office-owned medical tablets are constantly under the watchful eye of the IT department. The IT team also keeps all device software updated to prevent bugs and known security breaches. They install anti-virus and firewall software on managed devices, and ensure that those programs are working and up to date.

Installing, troubleshooting, and maintaining all of these processes often requires that the tech have hours of access to the medical computer in question. With a BYOD policy, tech access to someone’s personal cell phone is extremely limited, if it’s even allowed.

Sometimes, due to liability concerns, the tech may have little to no access at all. This turns the individual user — a doctor or nurse — into the primary tech for their own device. And, unfortunately, many don’t have the time or aren’t up to the challenge.

This neglect or misunderstanding can lead to software patches not being installed and lax anti-virus maintenance, which can open up huge security holes for any device or network.

A SecureEdge Networks report indicated that as it stands, 80% of all BYOD devices are completely unmanaged by the IT team. Compare that to the standard practice of managing all medical tablets and computers in a facility, and the vast security gulf becomes more clear.

BYOD Policies Lack Standardization

Even with the proper policies in place, and a secure environment for users to log into confidentially, there comes the most frustrating feature of BYOD policies: lack of standardization.

The medical tablets and other medical touch screens purchased by the hospital typically come from the same vendor, and are running the same operating system and even use the same parts. This standardization allows IT to choose software and hardware peripherals that work with any device in the hospital.

With hundreds of unique personal devices, things get dicey.

While staff members may enjoy the familiarity of their own devices, that doesn’t mean productivity is necessarily increased across the board. When staff members have devices from a dozen different manufacturers, with different operating systems (on different versions, with different patches), trying to make software and communication work is no easy task.

Hospital apps, messaging services, and secure hospital data vaults have to be compatible with Android, iOS, Windows, and manufacturer-specific tablet OSes. Frequently used website portals must be compatible with Chrome, Safari, and half a dozen other mobile browsers.

And, most importantly, if there is a conflict, the IT department is responsible for maintaining access across dozens of different platforms and browsers. Assuming the policy even allows IT to maintain the BYOD devices, that puts a huge strain on the tech team.

To BYOD or Not to BYOD

According to an extensive study by the Ponemon Institute released in 2016, data breaches are a constant problem for almost every hospital.

In their study, they found that “nearly 90% of healthcare organizations…had a data breach in the past two years.” They then went on to report that “45% had more than five data breaches in the same time period.” Considering that the average cost of a data breach is somewhere upwards of $2 million dollars, the math speaks for itself.

BYOD policies are not without their benefits — they’re excellent short-term solutions, especially for facilities that don’t have the budget for as many dedicated medical tablets or computers as they need. BYOD has been known to boost morale, and when implemented properly can increase communication.

However, most of the studies that found this data looked at standard businesses who don’t have to worry about the stringent confidentiality and security requirements of HIPAA.

Still, with HIPAA violations costing companies like Anthem over $16 million, healthcare can ill afford to play it fast and loose with potential security breaches.

Contact Cybernet today to learn more about creating a secure network of purpose-built medical tablets and medical computers in your facility.

 

Medical Tablets: Complying with HIPAA

Healthcare providers increasingly use clinical applications such as EHR, clinical decision support systems, order entry systems, radiology, laboratory and other systems. Health IT makes the medical workforce more agile, mobile and productive. Mobile devices let physicians check patient records on the go, in any location. Nonetheless, the rise of mobile technology increases the risk of data breaches. HIPAA aims to protect ePHI while still allowing hospitals to adopt new technologies & improve their efficiency and care quality.

The Health Insurance Portability & Accountability Act (HIPAA), 1996, consists of HIPAA Privacy Rule & the HIPAA Security Rule. The former establishes national standards for the protection of individually identifiable health information; the latter – security standards for protecting individually identifiable health information held or transferred in electronic form. The Security Rule dwells on the technical and non-technical safeguards covered entities must implement to secure patients’ electronic protected health information (e-PHI).

Understanding HIPAA

The HIPAA Security Rule covers health plans, health care clearinghouses and health care providers that create, receive, store or transmit e-PHI, as well as their business associates. Read the Summary of the HIPAA Privacy Rule [PDF].

Under HIPAA, covered entities must:

  • Ensure confidentiality, integrity & availability of e-PHI.
  • Identify threats to e-PHI and protect against them.
  • Protect e-PHI against disclosures or impermissible uses.
  • Ensure HIPAA compliance by the workforce.

The HIPAA Security Rule requires covered entities to perform a risk assessment to determine reasonable security measures for a particular organization. Risk assessment includes evaluation of the likelihood of a data breach, implementation of appropriate security measures, documentation of security measures, & rationalization of their choice, and continuous protection of e-PHI.

Safeguards

On the administrative, physical and technical levels, HIPAA requires for the organizations to implement certain safeguards.

Administrative

  • Security management process – identify & analyze risks to e-PHI, implement security measures for protection.
  • Appointing a security official overseeing HIPAA compliance.
  • Information access management – limit uses and disclosures of e-PHI, granting access to data only when appropriate, to authorized personnel only.
  • Providing the medical staff with data protection training, ensuring policy compliance by the workforce.

Physical

  • Limit physical access to the facility for unauthorized individuals, yet ensure authorized access is allowed.
  • Implement device security procedures, specify proper use of devices and access to them, have policies regarding device transfer, disposal or re-use.

Technical

Health care providers must implement:

  • Access control to e-PHI for authorized personnel only.
  • Audit controls of hardware, software and data access and use procedures.
  • Integrity controls to ensure e-PHI is not destroyed or altered improperly.
  • Transmission security measures that guard against unauthorized access to e-PHI in transit.

Features of Medical Tablets That Ensure HIPAA Compliance

So, when we talk about the features of the medical tablets that ensure HIPAA compliance, we are primarily concerned with the Technical Safeguards of the HIPAA Security Rule provisions.

Encryption

The HIPAA Security Series Guidelines require covered entities to “consider the use of encryption” for e-PHI in transit. Encryption for data at rest is not mandatory, but its implementation depends on the risk assessment.

End to end encryption ensures the data in transit is protected against data breaches and man-in-the-middle attacks, according to HIPAA Journal. Technology based on the end to end encryption helps providers avoid HIPAA violations.

HIPAA-compliant medical tablets are Windows or Linux-based, which enables the support of full disk encryption for data at rest, & implementation of end to end encryption programs for data in transit. Furthermore, Windows medical tablets have USB 3.0 and USB 2.0 ports and can encrypt data on external storage devices just like your normal desktop computers would.

One of the glaring security holes in consumer grade mobile devices is text messaging and consumer chat apps medical staff use to communicate with patients and colleagues. e-PHI details sent in a text message is a direct violation of HIPAA Security Rule. Skype, WhatsApp or Hangouts lack necessary protections for a secure data transfer, despite claims of encryption. Medical professionals must implement secure communication programs, with the end to end encryption and preferably from trusted, zero-knowledge providers.

Data Access

HIPAA requires the implementation of technical policies and procedures that allow access to PHI to authorized staff only. Medical tablets have access control mechanisms that enable advanced user authentication. Moreover, they make it easy to use, because end users tend to bypass any technical procedures they deem as difficult, time-consuming, or hampering their productivity in any other way.

Multi-factor authentication in medical tablets is ensured with RFID Imprivata Single Sign-On, biometric scanner, Smart Card or CAC reader, and Kensington lock. Multi-layered access controls reduce the risk of unauthorized data access. Medical staff can safely leave the device in hospital’s public places, such as corridors or patient rooms, and rest assured the confidential data is locked.

Data Integrity

According to HIPAA, any e-PHI data stored on a mobile device (or transmitted with its help) must be protected against unlawful tampering or destruction. Mobile devices used to store or transmit e-PHI in healthcare must have features that allow them to be audited for access to e-PHI, including attempted access instances, and other activity that could potentially affect data security.

Medical tablets can be configured to enable remote device management to give the IT admins full control over the data stored and transmitted from it. IT admins can push system and software updates and patches remotely, or troubleshoot issues without having physical access to the device. They can set up the device so that the complete log of data access and failed login attempts be documented for revision. They can wipe the device remotely, should it be lost or stolen. They can monitor network activity and spot suspiciously large volumes in upload or download to, again, suspicious servers.

IT admins can block or disable certain OS features, whitelist and blacklist programs, to protect the confidentiality of e-PHI from the inadvertent exposure by the end users. For example, disabling automatic connection to any available Wi-Fi network protects devices from connecting to insecure public networks.

From ad-block browser extensions to firewalls and sandboxing, Windows supports the full list of security measures an IT admin can deploy on a device. With Windows 10, the security features have advanced even further.

Windows makes the use of password managers easy since most enterprise programs are developed for Win OS. Also, administrators can disable access to app store, so that users cannot download and install unauthorized applications, or games. Alternatively, blacklist every app but a list of authorized applications from accessing the Internet.

Medical tablets ensure admins have necessary means of scanning them for malware and other malicious code, install antivirus, perform regular and random scans. When an employee is left or fired, admins can safely terminate access to PHI.