Mobile use in healthcare has long been a double-edged sword. Personal devices give doctors access to healthcare data anytime, anywhere. Yet they also leave organizations vulnerable to numerous privacy and security risks and pose major IT headaches.
Once the elephant in the room, texting patient information is now the norm in healthcare. Earlier this month, the Centers for Medicare & Medicaid clarified its position on texting patient information among members of healthcare teams. Texting patient orders is now permitted in hospitals and critical access hospitals when done through a HIPAA-compliant secure platform in accordance with CMS eligibility rules, the agency said.
Michael Trzcinski, vice president of IT, cybersecurity and facility operations at Alliance Clinical Network, a group of sites engaged in Phase I-IV research studies on major hospital campuses, and Vernon O’Donnell, president of field operations at Hypori, will discuss secured virtual device management on the HIMSS24 Global Conference and Exhibition.
They will discuss the latest mobile cyber risks in healthcare and the role of virtual mobility solutions, comparing traditional solutions with new BYOD considerations. Participants will also gain a better understanding of how to defend against phishing and malware attacks, which often lead to ransomware, they said.
This session will be especially fruitful for healthcare IT decision makers who need to understand the critical role of compliance and security in protecting ePHI. It will reveal how they can improve patient care without sacrificing user privacy and productivity, while mitigating cyber risks. –The Alliance Clinical Network
Q. What are the benefits of broader mobile access to critical patient data within healthcare?
O’Donnell. Key benefits of broader mobile access to healthcare include greater flexibility and productivity.
By enabling secure access from any mobile device, healthcare professionals can retrieve critical information on the go, improving responsiveness and efficiency. Furthermore, it helps streamline workflows and reduce administrative and IT burdens.
Trzcinski. Mobile access not only helps us improve patient care by facilitating secure real-time collaboration and coordination between teams, but also gives patients the ability to access their health information anytime, anywhere.
Furthermore, it gives us a competitive advantage over other providers as we offer more patient-focused and efficient services, attracting and retaining patients in an increasingly competitive market.
Q. What are the risks to user privacy when healthcare workers bring their devices into their patient care workflows?
O’Donnell. Traditional mobile access solutions, such as carriers, that force employees to use a device with mobile device management software or issue a secondary corporate device pose many risks to user privacy due to the following factors:
- Data leakage. This could be due to the device being stolen or lost without the ability to remotely wipe user data. The potential to expose sensitive patient information is extremely high.
- Device compromise. Devices without secure access are at greater risk of being exposed to malware and other cyber threats.
- Compliance concerns. It has become more difficult to ensure data privacy and security.
By offering a secure virtual device, healthcare providers don’t have to worry about carrying two phones, data leakage or compromise because no data remains on the device. There is also no data in transit, so traditional exposure risks are eliminated.
From a user privacy perspective, there is 100% data separation between the personal device and the virtual device, so the user’s information is always protected.
Trzcinski. After a thorough evaluation, we concluded that the risks of other mobile solutions were too great. Despite considering MDM technology, concerns about HIPAA compliance and the potential for data exposure on lost or stolen devices persisted.
Spending on company equipment turned out to be prohibitively expensive.
We also had to consider a high-level executive’s personal phone being stolen and cloned, so we knew we needed a proven and secure solution.
Q. What are some strategies to ensure HIPAA compliance on mobile devices?
O’Donnell. Two strategies include deploying access controls and virtualization. Implementing strong access controls, such as multi-factor authentication and role-based access, can prevent unauthorized access to patient data and maintain HIPAA compliance.
With virtualization, no data is at rest or in transit, protecting ePHI and limiting unauthorized access.
Trzcinski. One concrete way to ensure HIPAA compliance on mobile devices is to develop a formal BYOD policy.
By developing and enforcing strict policies, we can ensure employees are protected and understand their responsibilities, as well as how to properly use designated technology solutions to ensure compliance.
O’Donnell’s and Trzcinskis session,”Unlocking the Mobile Future of Healthcare: A HIPAA Compliant BYOD Use Case,” will take place on Wednesday, March 13, 12:15-12:35 p.m., in the Cybersecurity Command Center, Theater B, at HIMSS24 in Orlando. More information and registration.
Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.