The past decade has brought a massive influx of mobile technology into the workplace, first via corporate device programs and now through personal device policies (aka, BYOD). If Forrester has it right, some 200 million workers will bring their own mobile devices into the workplace next year.
In healthcare, the mobile revolution has been slower, but still prominent. According to a recent survey by HIMS, almost 70 percent of clinicians now use a mobile device to view patient information, and 36 percent use one to collect bedside data. In hospitals and care facilities, doctors often use smartphones, tablets, or laptops to access EHR (electronic health record) data, look up clinical and prescription information, communicate with other care staff, and record care data. About a third of clinicians say that mobile devices increase care efficiency and have a positive impact on the overall quality of care. In the video below, PricewaterhouseCoopers (PWC) discusses the future of mobile technology and healthcare, which they refer to as “mHealth.”
The combination of mobile technology and sensitive data is troubling for security experts, especially where “bring your own device” (BYOD) policies are involved. But the stakes are even higher in healthcare, where a data breach (or even careless data management) can constitute a HIPAA violation.
Healthcare Security Challenges
The U.S. Department of Health and Human Services keeps an archive of every health data breach that has affected 500 or more patients, colloquially referred to as the “Wall of Shame.” A brief inspection of this archive will reveal a high percentage of breaches traced to “other portable electronic device[s]” in recent years. In many of these cases, mobile data was a target for cybercrime because the provider had failed to implement proper security measures and training.
Mobile technology creates a number of new risks for the healthcare industry. If you’re an IT manager at a hospital, independent practice, or care facility, here are some initial questions to consider:
- Are your devices secure?
- Do they limit PHI access to authorized parties?
- Are communications between devices secure?
- Can emails and file transfers be intercepted over wi-fi or bluetooth?
- Do employees download questionable third-party applications on their work devices?
- What do you do if a device is lost or stolen?
Some 98 percent of IT professionals are concerned about the workplace impact of mobile devices, but less than half plan to use a central management solution for security and control. In part, this reflects the youth of mobile technology. It may take some time for standardized security measures to catch up with mobile innovation, but smart care providers will take action now to avoid costly incidents in the future.
The Importance of Mobile Device Management
For starters, healthcare organizations should create a formal device policy that educates staff on security risks and best practices. But a general consensus isn’t enough to protect your patients’ health data as it travels between numerous devices. For that, you’ll need a mobile device management (MDM) solution.
MDM software gives IT managers central control of devices in a corporate network, including device data, security, applications, web activity, and data transmission (depending on how the system is configured). It lets facility staff enjoy the versatility and efficiency of mobile devices without putting corporate or patient data at risk.
Here are four elements of MDM that are particularly useful in healthcare:
- Device security: Protect devices from unauthorized access by enforcing lock screen passcodes, installing mobile malware detection software, and setting up device-level encryption. Many solutions also offer built-in messaging platforms so users can send secure messages (to colleagues and patients) and without risking over-the-air interception.
- Remote management: In the event that a device containing PHI is lost or stolen, you can erase the data or lock the device until it is found. Some systems may give you the option to erase only clinical data, rather than wipe the whole device.
- Application control: If an outside app is tainted by malicious code, it can siphon data from other apps on the device, which (again) jeopardizes patient data. Application control lets you decide which apps to permit and which to blacklist or disable. In addition, you can use “containerization” to partition an area of each device for dedicated work-use; that way, untrusted third-party apps are kept separate from, say, your EHR mobile app.
- Reporting: Finally, MDM reporting tools give you real-time visibility into your organization’s mobile environment, including device status, user information, log-in attempts, and compliance with password policies.
Your Buying Decision
There are a few important things to consider when you’re shopping for MDM software. First, platform compatibility. Some solutions are only built to support a specific operating system (Android, iOS, Windows Phone, BlackBerry). That’s fine if all of your staff use the same corporate devices, but if they bring their own, you’ll need a more inclusive option that works with multiple operating systems.
Next, you should evaluate how MDM fits into your larger IT infrastructure. If you’re a small practice, you may not have any kind of centralized IT, which means you can probably consider a standalone solution — something simple, affordable, and low maintenance. Larger health organizations like hospitals and insurance providers, on the other hand, will have more devices, more users, and a multi-level, multi-site needs that call for greater synchronicity. Instead of a discrete MDM solution, this may warrant an IT management suite that includes MDM alongside other integrated tools for configuration management, helpdesk ticketing, and security.
Mobile technology is a mixed bag for healthcare. By freeing clinicians from desktop computers and paper-based workflows, it increases care efficiency and improves the patient experience. But it also presents new attack surfaces and risks to patient data. That’s why you can’t afford to be passive about mobile device management. Create a clear policy that defines HIPAA-compliant use, and back it up with an MDM solution to enforce and monitor security.