This article is more than 5 years old. Information may no longer be current.
Safety policies, data protection needed for BYOD in health care
Click Here to Manage Email Alerts
Bring your own device technology improves patient outcomes and saves money for hospitals by allowing physicians to use their own mobile devices to access, collect, share and store patient information within the palm of their hands, but with these advantages come cybersecurity risks.
There is also a need for mobile device management policies that are in accordance with the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Act (HITECH) regulations, according to a study published in the Journal of Hospital Librarianship by Jennifer E. Moyer, BSN, RN, of the Simmons College Graduate School of Library and Information Sciences, and colleagues. It is currently estimated that more than 85% of U.S. health care professionals bring their own device to work, according to a recent Healthcare Information and Management Systems Society (HIMSS) study.
Jennifer E. Moyer
“Many challenges are associated with BYOD policies, but some issues can be resolved by setting expectations, ongoing education and putting reinforcement mechanisms in place,” Moyer told Healio.com in an interview. “The upcoming Meaningful Use Stage 3 rules are expected to increase patient engagement. For example, health apps and wearable technology can be leveraged to provide a comprehensive picture of what patients are doing outside of their health care provider’s visit. Safeguarding patient data needs to be a top priority for healthcare organizations if patients are going to entrust them to collect, use and store it.”
According to William Van Doornik, MS, RHIA, executive consultant for Beacon Partners, significant changes are beginning to emerge with patient-facing technology.
“A lot of this is coming from mobile technology,” he said during a live webinar, Integrating Patient-Generated Health Data into the EHR. “It’s not so much the issue that technology is emerging, it’s really already here and is rapidly evolving as it is emerging. The challenge is really how we deal with this new technology.”
Benefits of BYOD
In a 2009 study that included a systematic review of 13 studies of mobile device use among physicians, Prgomet and colleagues found that mobile devices actually improved patient outcomes as physicians were able to access patient information rapidly at the bedside, which helped prevent medication errors.
“Advantages of mobile devices stem from their ability to deliver ‘the right information about the right patient at the right time in the right place.’ Traditional physician workflow systems lack such comprehensive benefits,” Moyer wrote in her study. “Desktop computers are tethered to a site and do not allow mobility to different patient locations. Likewise, mobile paper charts lack real-time accessibility features to databases that contain a wide scope of historical and current patient data.”
Moreover, personal devices allow for easy, fast access to the most current research and studies, therefore helping to facilitate the adoption of evidence-based medical practices, according to the paper.
Hospitals that allow physicians to BYOD also save on costs, as they do not have to provide the devices and keep up with the most recent device upgrades, warranties and repairs.
“Since technology evolves at least every 6 months, it is not practical for hospitals to provide devices for employees. The constant upgrades and expenses associated with maintenance and management would be too costly for the organization over time,” Moyer said.
PAGE BREAK
Theft and loss
Despite the advantages of BYOD in the health care setting, there are also significant risks associated with personal mobile device use.
“Currently, many industries are going through a lot of growing pains managing and mitigating risk when it comes to BYOD loss, theft and mismanagement of the device,” Moyer said.
Risks can also occur in the form of a “rogue app” that extracts information from the device — such as location or patient contact information that may be on the device — or a virus on a personal laptop.
“The number one problem with the BYOD dilemma is apps that employees trust that are completely unmanaged,” Gary S. Miliefsky, cyber security expert and CEO of Snoopwall, told Healio.com. “Even with managed BYOD policies, apps that appear trustworthy are malicious, remote access Trojans and eavesdropping tools for criminals and even foreign nations.”
Gary S. Miliefsky
In her paper, Moyer mentioned one such situation that occurred at the Massachusetts Eye and Ear Hospital that resulted in a $1.5 million settlement. A physician’s unencrypted laptop that contained more than 3,000 patient records was stolen.
“This doctor probably thought he or she did all the right things —remote wipeout and password protection were used, but the device was not encrypted,” she said. “Although the incident happened years ago, a lack of encryption and other safeguards are still occurring in other healthcare settings, which puts them at risk of violating regulations. Risk assessments should be conducted to identify gaps.”
Cyber crime is a multi-billion dollar industry, Moyer said. EHRs are worth at least $50 to $75 per patient record on the black market. Patient records go for a higher premium since they contain more information than credit cards. There are incentives for criminal hackers to break into these systems, especially with multiple devices available.
Miliefsky said the number one thing that is overlooked is the antivirus scanner on devices.
“Imagine, the physician brings their device to the hospital and it contains a flashlight app, a weather app and all these different apps,” he said. “The antivirus scanner is usually a part of a ‘BYOD check-in’, where the device is brought to the hospital and it then goes under a ‘quarantined v-land’ and while this is happening, meanwhile there are three ‘remote access Trojans’ running on the device. One of them is the flashlight app, another is the Bible app and another may be a QR code reader.”
According to Miliefsky, the top two ways to exploit an organization are through spear-fishing attacks with remote access Trojans attached — this is how Sony Pictures was recently breached.
“We are finding that it is either breaching a trusted system that is already behind the network through spear fishing or its having the remote access Trojans already on a BYOD device. These are the two weak spots,” he said.
Texting with patients
Nowadays it is a common occurrence for text messaging to occur between a physician and patient.
“Texting has become increasingly popular, particularly with pediatric and adolescent clinicians who seek to connect their patients,” Moyer said. “You not only need to know how to communicate with children and adolescents, but also how to reach them and texting can be effective. Yet, there are considerable risks associated with texting. For example, children and adolescents may not be aware of the consequences of sharing their data and how that data can be used.”
Moyer said there are liability issues that may result from text messaging, as it is outside the confines of EHRs.
“There are certifiable, secure texting programs that physicians should look into (Tiger Text, Ping MD [Pingmd, Inc.] and Patient Reach Mobile [Solutionreach]),” she said. “Policies and protocols also need to be in place about use for patient and clinician protection.”
Need for policies
Despite best efforts, sensitive patient health information can still be compromised. Technology loss and theft can lead to millions in costs for hospitals and other health care settings. When it comes to BYOD in the health care setting, risk mitigation strategies and crisis resolution plans are a must, according to Moyer.
“Plan for the worst case scenario. Despite doing due diligence, there is no ‘bullet proof vest’ to protect any organization 100%. Executives need to know how to influence clinicians’ behavior about their device use and management, as well as create risk mitigation and crisis resolution plans in the event a breach should occur,” she said. “Managing security is not just an IT issue, but also presents public relations, training and legal challenges.”
Moyer recommends for device passwords to be at least 11 characters in length, as passwords are easily hacked. She also recommends encryption and remote wipe-out features, which allows the user to remotely erase data on a mobile device when lost or stolen.
“There are published guidelines and documents available, as well as the Safety in Innovations Act from the FDA, [Federal Communications Commission] and [The Office of the National Coordinator for Health Information Technology],” Van Doornik said. “This was developed with the intent of providing an overall strategy for regulation by federal organizations without stifling innovation.”
There are also various websites that offer reviews of trusted apps for the health care industry, he added.
“The security problem is only going to get worse. It all goes back to a lack of intelligence and training about security,” Miliefsky said. “Organizations need to educate their employees on what is a spear fishing attack (comes as an SMS message on your phone/email) and what is a remote access Trojan (attachments or they are already on the smart phone or tablet). Devices need to be cleaned and we need to understand how these remote access Trojans get in.” – by Jennifer Southall
References:
Doornik WV. Integrating Patient-Generated Health Data into the EHR. Beacon Partners. Available at: http://www.beaconpartners.com. Accessed March 4, 2015.
Moyer JE. J Hosp Librar. 2013;doi:10.1080/15323269.2013.798768.
Prgomet M, et al. J Am Med Inform Assoc. 2009;doi: 10.1197/jamia.M3215.