As technology used in the healthcare industry continues to broaden, security is struggling to keep up. For example, more healthcare organizations like primary care physicians, dentists, eye doctors, and specialists are using mobile devices like tablets and smartphones in their day to day operations. Of course, this mobilization of patient data creates increased security risks in an age when healthcare data has become extremely valuable to online hackers. To remedy this, there are certain steps you should take when implementing the use of mobile devices in your healthcare practice.
Assess the Risks
Before you decide to use tablets and smartphones in your practice, you need to evaluate your situation and decide if the potential benefits outweigh the risks. Some of the benefits of using a mobile device is that they allow employees instant access of a patient’s information - that way you can see more patients more quickly while increasing the time you actually spend with each patient. You will be able to spend less time entering data and performing clerical work that eats up time. Also, your patients will be better served with the most up to date healthcare information at your fingertips at the time of their visit.
However, some of the risks of having a mobile device strategy are the possibility of losing the device, having someone steal the device, accidentally downloading malware or viruses, unintentional sharing of data with the wrong parties, and using an unsecured wireless network.
If you decide to start using mobile devices, you will need to tread carefully in order to maintain security and remain HIPAA compliant. You should have an experienced IT company complete a risk assessment of your organization. During this time, they will uncover which mobile devices need to communicate with the office’s internal network. They will see what kind of information is being accessed, stored, and transmitted over the network or over wireless. Then, they will check to see if you are HIPAA compliant.
Implement Policies and Procedures
More often than not, security breaches happen because of employee error. This is why it is crucial to have written policies and procedures for the use of mobile devices in your healthcare organization and to actually implement those policies. Employees need to know what they can and can’t do on mobile devices. They need to know where the mobile devices can be taken and where they should be stored.
A mobile device management strategy will answer the following questions:
- How many mobile devices are being used?
- What mobile devices are being used?
- Who gets to use the devices?
- Can employees can bring their own device (BYOD)?
- Should personally owned devices be connected to the internal network?
- Who is responsible for maintaining security and updates on the devices?
- Can employees use the mobile device while away from the physical office?
- Will your organization issue standard configuration and technical controls on all of the devices?
- What kind of information can be stored on the device?
- Can employees and providers download apps? If so, what kind?
- What happens when someone misuses a mobile device?
- What happens if the device is stolen? Can it be wiped remotely?
- How are staff members and providers being trained in the use of mobile devices?
After a mobile device strategy has been created, it needs to be enforced. Ongoing and continual training of staff members and providers will ensure that everyone in the organization is on the same page.
Follow Practical Security Tips
- Make sure that all mobile devices require a password in order to gain access. Also, make sure that the device is locked after a certain amount of time so if it gets left somewhere, an unauthorized user can’t access it.
- Always use encryption when sending or storing health information. Some devices have built in encryption capabilities and if not, you can purchase encryption tools.
- Use a personal firewall on each device. A firewall works by blocking incoming connection attempts and only allows in those that are qualified by a certain set of rules.
- Make sure the device can be remotely disabled or wiped should it become lost or stolen.
- Use antivirus software on the devices to protect against malware, ransomware, spyware, and other malicious threats.
- Update the devices on a regular basis in order to retain the latest in security.
- Only allow downloading of certain mobile applications and research them thoroughly before downloading. Some apps are actually malware in disguise.
- Physically store the device in a safe place and keep them locked up when not in use.
- Don’t connect devices to public Wi-Fi. Public Wi-Fi can be very insecure and easy to hack. When data is transmitted over public wi-fi (rather than the internal network) it is simple to intercept the transfer and steal the data.
- When you decide to recycle or get rid of a device, you should use software that thoroughly wipes the device. Health information or other sensitive data that is left on a mobile device could easily fall into the wrong hands.