While tighter HIPAA security regulations going into effect this year may intimidate some healthcare organizations
in implementing wide-scale bring your own device (BYOD) programs, the NCH Healthcare System in Naples, Fla. has embraced it with open arms. In fact, BYOD practices are being encouraged to help the hospital make a total break from its paper-dependent past.
"As of July 15, 2013, all of our processes will be electronic," said NCH CIO Helen Thompson. "It is part of our journey to the digital hospital. There will be no more paper."
In response to new regulatory requirements, we are changing policies, technology and educational materials to enhance the security of mobile devices.
John Halamka, M.D.,
As BYOD in healthcare expands, new technology will be seen in plentiful supply, including mobile devices, especially personal smartphones, tablets and laptops. Mobile device security will be a centerpiece of the new policies that allow them.
NCH is just one of many healthcare facilities dealing with how to best protect patient data while also providing flexibility and convenience to workers who need access to it. And it doesn't get much more sensitive than patient records, which are protected by a host of state and federal health privacy regulations and consumer protection laws. All of that is putting the issue of mobile device and data security front and center.
As challenging as that is at face value, hospitals have added complexity when addressing mobile device security: Many of the people that need to carry mobile devices aren't employees, but affiliated physicians and per-diem nurses. Thompson said that only 100 of the 650 physicians affiliated with the two hospitals managed by NCH are employees.
BIDMC sharpens BYOD policies
Another medical center dealing with mobile device security and BYOD in healthcare is Beth Israel Deaconess Medical Center (BIDMC) in Boston.
"In response to new regulatory requirements, we are changing policies, technology and educational materials to enhance the security of mobile devices," BIDMC CIO John Halamka, M.D., wrote in an email. "We know that these new restrictions are a change in previous practices. The current HIPAA omnibus rule, enacted in March 2013, includes penalties of up to $1.5 million per year for privacy breaches. Hence the need to more tightly manage our mobile devices, email and remote-access capabilities."
For Beth Israel, those tighter controls vary according to the device and who manages it.
"Most iPads/iPhones/Android devices/BlackBerry devices are automatically encrypted when passwords are added," Halamka wrote. "Today, BIDMC requires encryption, password protection and autowipe after 10 failed passwords when Active Sync compatible devices attempt to retrieve email. Older devices that do not support these settings are blocked from retrieving BIDMC email."
Halamka's best mobile device security practices
The tight controls that BIDMC has put in place are among the best practices recommended by security experts. These include the following:
Governance. A governance policy outlines the rules and responsibilities around data access, device use and employee behavior. It informs employees what they are allowed and expected to do with their personal devices. It details the authority that IT has to restrict access to certain employees or mobile devices, to manage devices connected to the network and to wipe devices in the event of an emergency.
Communication. For employees to work toward better data security, they must understand the consequences of their actions. Your employees know how to do a lot with technology, but they often don't understand how it really works or what the downsides can be to any action. An informed employee will show more responsibility and take fewer risks with valuable or sensitive corporate data. Employee awareness can be thought of as the first line of defense.
Onboarding. This practice enables IT to register a user's device, validate the user's credentials and determine the device security protection.
Network access control. This enables the right workers to have access to the right data and email areas. Physicians would have access to patient data. Nurses might have a lower level of access. Line workers would be allowed access to the Internet only, blocked from accessing sensitive data.
Mobile device management (MDM). These applications give IT staff administrative control of a user's device, enabling the device to be monitored and audited. MDM products by themselves do not, however, block malware.
Encryption. Automated encryption can improve email security, while encrypting laptops and smartphones can protect data in the event that a device is lost or stolen. More importantly, it's a HIPAA safe harbor.
Desktop virtualization. In a desktop virtualization environment, virtual desktops are delivered to personal mobile devices, keeping the organization's data safe. High-end security apps can be installed on the virtual server to block online threats such as malware and viruses.
Remote wiping. When devices are lost or stolen, the organization needs the ability to remotely wipe the device clean of stored data.