There are some interesting security developments on the BYOD front that may present serious HIPAA challenges for healthcare delivery organizations. If you’re not following the story I’ll give you the quick summary. Security consultant Trevor Eckhart discovered monitoring software from Carrier IQ on his Android based smart phone. The software which he could not disable was placed there by the cellular carrier in an effort to monitor and enhance the end user experience. His testing reviled that the software was able to log keystrokes, URL’s, GPS location and SMS text messages amongst other items. All of the juicy information that is collected encrypted and uploaded to the carrier or manufacturer for “analysis” – NICE!
The seriousness of the issue sparked a federal probe with Senator Al Franken sending a request to the software vendor, manufacturers and cellular carriers asking for specific details of the monitoring software capabilities and how the information collected is being used. Many of the responses received to date raised many more questions than they answered.
By the time you read this, the holiday season will be behind us. The second longest post-holiday line over the dreaded Toys-R-Us return line is likely to be in front of the IS Support desk come “Monday Morning”. All the Cindy Lou Who’s will be in line asking that their smart device be given access.
It will be interesting to see the statistics, but I suspect that in comparison to previous years, it’s highly likely that many more BYOD smartphones and tablets will enter the healthcare environment. One of the top care about for CIO’s is to provide rapid provisioning within their organization. This is great, but I often wonder if responding to the demand could result in cutting the proverbial corner without knowing it!
Given the need to deploy a wide variety of BYOD devices quickly and securely, the healthcare Chief Security Officer (CSO) certainly has their job cut out for them these days. The shire volume of consumer devices entering the enterprise environment raises some serious questions as to their readiness, especially in regard to security and privacy – add ePHI and the responsibilities of covered entities and you have some significant reason for concern. Perhaps before a healthcare system adopts a BYOD policy, one should consider the ramifications of allowing the wide range of consumer devices (and contracted carriers) to access protected resources. I’d suggest that it’s certainly time to consider the use of an enterprise ready device – one such as the Cisco Cius where you can control key aspects related to maintaining security and enhancing the user experience.
Cisco Cius with AppHQ is an Enterprise Ready Tablet
First, with the monitoring software described, don’t assume that your security policy by itself is sufficient. Remember this software, as with others to likely follow, are key loggers. Such applications by definition capture each and every keystroke and button press regardless of the application or transport/network encryption being used. Many CSO’s may incorrectly conclude data loss is impossible given the use of VPN technology. Likewise some will conclude that their adoption of VDI assures that the data stays local to the healthcare system and not to the device. While partially true, we are effectively talking about keystrokes being logged. Clearly a physician WILL over time enter data that is classified as ePHI – all nicely collected and uploaded unknowingly to a 3rd party. Even SMS text messages sent or received by such a device is within scope!
My advice is to stay abreast of this developing story, and in the meantime, take the time necessary to fully understand the ramifications of allowing various devices (and carriers under contract) to access your protected resources. It’s no longer about robust authentication mechanisms, secure encryption and remote wipes – It’s now much more than that! Also remember that a device that is classified as “safe” today might not be in compliance after an OS upgrade or application install in the future. Taking accountability for the device and the applications being loaded onto it by either the user or carrier is YOUR business. Having a system in place that facilitates YOU being able to control the OS and the applications that are being installed on BYOD devices is a critical objective.
So make sure that the next time you’re planning a BYOD party that you recognize all the guests being invited – otherwise some valuables in the form of ePHI may be slipping out the back door!
Oh, how I wish tablets were around when I was providing patient care as a Registered Nurse on a busy surgical floor! I had a legion of patients, and masses of information to find and remember ‘in the moment.’ It seemed like I could never find the person or the equipment I needed fast enough.
Sometimes, the most practical option was to take pen to paper (or to my scrubs) to jot down a note, and then go find the information I needed in a chart, the EHR, or reference once I got back to the nurses station. Could I have delivered more timely, efficient and safer care if I had access to the information and data I needed at the patient’s bedside? You bet I could, and here’s how!
Tablets provide information access at one’s fingertips – especially at the patient bedside – helping doctors and nurses to render quick, safe and sometimes lifesaving care. This is echoed in Institute of Medicine (IOM) reports calling for direct care providers to have quick access to electronic references. Moreover, up to 70% of sentinel events in healthcare are caused by poor communications, according to a Joint Commission study (1995-2006). Given these findings, tablets offer a new and improved way to ensure patient safety because up-to-the-minute information and immediate communication is readily available where and when needed.
Tablets help save time by increasing mobility and productivity, reducing errors and keeping information readily accessible within the clinician’s reach.
Come on clinicians … no mater if you are a doctor, nurse, respiratory therapist, case manager, educator or another team member … surely you can think of all kinds of ways tablets could enable you to have the information you need when you need it. You and your patients will be all the happier and satisfied for it.
I quickly came up with a short list of ways that tablets, one of several mobile devices, can make a difference for patient care delivery:
Workflow efficiencies by having access to information and data at the point of care
Real-time communication amongst team members while in different locations
BCMA and real-time drug interaction checking … possibility for a real-time pharmacy consult at the patient’s bedside via voice or video conferencing
My questions to you: Have you used a tablet to deliver patient care? If so, what has been your experience – is the tablet adding real value, or is it just “another toy”?
Historically Healthcare has the reputation of being behind the technology curve, however the next-generation worker is now driving the demand for the Bring Your Own Device business model.
“What? That’s crazy talk! How do I maintain a controlled secure environment?”Exclaims the IT Manager.
This new age of social intelligence and the evolution of social networks and mobility bring the expectation of free choice among the work force. Workers are putting the pressure on organizations for interoperability between the enterprise network and the devices of their choosing.
Today the average person on the planet has 1.8 devices on today’s networks connecting over 13 billion devices in total. By the year 2015 that number is expected to rise to 25 billion equating to 3.47 devices per person. Read More »
After implementing electronic health records and operating on meaningful use, you may ask yourself – ‘now what’?
Now that your hospital or medical practice has an EMR, you are in a unique situation to utilize this resource for several other research capabilities beyond quality reporting. EMRs provide an outlet to access rich clinical data for research use, along with several other secondary uses. They can provide a platform for clinical recruitment, along with recently being recommended to use to document extreme situations, evaluating devices and drugs to provide early information helping to identify side effects that may have been missed during clinical trials.
What are additional secondary uses for EMRs that you have seen in your medical practice places and hospitals? Please share below and feel free to read more on this topic.