Technology

MOBILE DEVICES: Information Security in a Mobile World

Can your practice protect patient information on smart phones, tablets and laptops?

By Lisa Shaw, Brookville Pa.

Laurel Eye Clinic takes advantage of the latest in technology and security. From left: Louis D. “Skip” Nichamin, MD; Jolynn Cook, RN, COE, CASC; and Lisa Shaw, COE

Medical workforce demands are rapidly changing around the growth of new technologies. Today, we require more mobility and accessibility to patient information using mobile devices. As using these new platforms becomes easier and more essential, security issues for medical practices will be of paramount concern. For practices of any size, it can be a daunting task to protect patient information. When mobile devices are added, the risk of a breach in security is increased. While it is possible to have the ease of access both physicians and staff want while providing the security required, unique security safeguards are required to protect patient information.

With this piece, we’ll take a look at some of the risks and common errors of employing mobile devices and their respective preventative measures.

Recognizing security breaches

The Department of Health & Human Services (HHS) began tallying breaches in September 2009. As defined by HHS, a breach is an impermissible use or disclosure “that compromises the security or privacy of the protected health information (PHI) such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.” So far, HHS has posted 543 breaches, affecting more than 21.5 million people. Of those breaches, 86% involved the loss or theft of mobile devices.

Medical practice breaches occur almost daily. While the large ones garner the most attention, breaches of any size compromise patient information and must be reported to the HHS on a yearly basis. Any breach that involves over 500 patients must be reported immediately to HHS, which will post the breach on its Web site. Additionally, if a breach involves over 500 patients, you must notify the media; television, radio and newspaper.

There are many ways breaches can occur. For example: improperly shredded papers containing confidential patient information, misplaced or stolen backup tapes, a network that has been hacked from the outside, a staff member who steals information for personal gain, a computer that is not disposed of correctly, a wireless connection that is not properly secured, or a lost or stolen mobile device. Regardless of the method, breaches have a far-reaching impact for your practice.

Consequences of a breach

With the implementation of the HITECH (Health Information Technology for Economic and Clinical Health) Act in 2009, fines for breaches have increased. One-time violations carry a maximum penalty of $50,000. However, a repeat violation in the same year, carries a maximum penalty of $1.5 million. Monetary fines are based on knowledge of the potential of a breach. Under the HITECH Act, state attorney generals also have the authority to bring civil actions on behalf of residents for breach violations. HHS has levied fines of over $14.9 million since 2008. As you can see, a breach would have a devastating financial impact, not only due to the negative publicity for your practice, but also the possible fines and civil penalties.

Most reported ePHI breaches involve mobile devices. Often these are lost or stolen and, because of their portability, provide an easy target. External hard drives, USB devices and laptops are involved in many breaches and, perhaps due to their portability, they are easily misplaced, lost or stolen.

Gene Stiglitz, LPN, COT and Misty Kriebel, LPN, COA, OSA review electronic health records at Laurel Eye Clinic in Brookville, PA.

Preventing Breaches

Practice policies must be in place to address the use of mobile devices and the information stored within. For example, a policy that prohibits saving patient information on a USB device would preempt any worries about the device being lost or stolen. If you are saving information in a format other than on your database, the safest process is to save it in a folder on your server.

The first step in preventing security breaches is to avoid storing patient data locally on mobile devices altogether. If you must save patient information on a mobile device, the device must be encrypted. With the EPM/EHR system our practice uses, no patient data is ever saved on any computer or mobile device. We save all data on the server. The computer and mobile devices only access the data. This leaves no patient information saved locally and eliminates the possibility of a security breach if a device is lost or stolen. The server room is secured with a door that remains locked at all times, even during business hours and is only accessible by a very limited staff.

The next step is to assess how mobile devices are being used in your practice. Is the practice providing mobile devices, such as cell phones, that staff or physicians use to access corporate email? Are they using tablets or laptops to access patient information from home when on call? Are they using mobile devices in the clinic to access patient information? Are you providing mobile devices for your patients to enter information or check-in?

Once you have assessed how the devices are being used, your practice must determine if they are being used in a secure manner. For instance, if staff or physicians use cell phones for corporate email, are the cell phones password protected? Requiring a password is an easy first step to protecting any data on the phone. Without the correct password, the phone will not unlock. Do you require a screen auto lock period? Most cell phones allow you to set the time frame that the phone will lock when in rest between one and five minutes. Set the device to the lowest time interval possible, while still allowing the phone to be usable to staff or physicians.

Email on-the-go is a No-No

In our practice, it’s against policy for staff to configure personal cell phones to access corporate email, unless given prior approval by the practice administrator. It had previously been discovered that some employees were accessing email from their personal devices. This is a huge security concern due to the nature of our corporate email and the very real possibility that patient information could be contained in these emails. When a staff member loses a personal phone, there is no requirement they notify their employer, and if the cell phone wasn’t set up properly to begin with, there is no chance that the data can be wiped from it.

Due to security concerns, our employees are now unable to access work email on a personal device. To ensure this, changes were made to active directory that will not allow corporate email setup if the user does not have a corporate device.

Your team should research the availability of a remote wipe feature before purchasing any type of device for corporate use. This is essential in case a device is lost or stolen. With the correct setup, all data can be wiped remotely within a very short period (even minutes) on a device reported lost or stolen, ensuring any data is not accessible. If the phone was turned off when it was lost, it will wipe when it’s turned on again. It is important to note, you must perform the remote wipe prior to notifying the carrier to deactivate the phone.

In our practice, this nightmare became a reality. A cell phone was stolen at an airport while the user was on a business trip. Our policy states that immediately upon discovering their device was lost or stolen, the user must contact the IT manager. Fortunately, the phone was properly set up to allow a remote wipe and it was wiped within minutes. Taking the proper precautions, establishing policies and staff training prevented this incident from becoming a potential security breach.

Passwords and Encryptions

If physicians use tablet-type devices to access patient information from outside the office when on-call, these devices should also be password protected. They should also have a VPN (Virtual Private Network) connection set up. The VPN connection will ensure an encrypted connection between the device and your network from any Internet connection.

When setting this feature, be sure to require users to enter the VPN password each time they log on. Do not set it to autolog them on. If the autolog feature is enabled, anyone using the device would have access to your network. When providing training to physicians, stress the importance of logging off the VPN connection when they are finished using it. In our practice, when using any device that can access patient information from outside the office, the user must use a password to log into the device, use a password to access the VPN connection, use a password to access the on-site terminal server and then must use a password to access the program that houses patient information. These multiple layers of security are a valuable method of protecting patient information from accidental or malicious access.

If staff or physicians use mobile devices in clinic to access patient information, certain precautions must also be taken. Be certain your wireless connection is secure and requires a password to access. Again, be sure these devices are password protected and that the user logs off or locks them whenever the device will be left unattended. Never leave these types of devices in the exam lane with the patient. Each device should be accounted for at the end of each day and kept in a secure place.

Security Policies and Procedures

To ensure all members of your practice understand the security methods you have in place, policies and procedures should be developed. Require staff to read these policies and sign an acknowledgment that they understand and will comply with them. Annual security training with existing staff and orientation security training with new employees is required. When conducting security training, provide real examples of breaches and how they could have been prevented. Discuss the implications a breach would have on your practice and be sure to allow staff adequate time to ask questions. Education is key. The more aware the physician and staff are of potential issues, the more careful they will be when using mobile devices.

Policies should be as complete as possible as to the processes in place to secure ePHI. Staff must be held accountable for following these procedures. For instance, if your practice policy states staff are not permitted to save patient information on USB devices and it is discovered that they have not followed policy, the proper disciplinary action should be taken. Your IT policies should contain a sanction policy, which determines the consequences for violations of the security policies.

As much as we all like to think it won’t happen to us, breaches do occur. In order to protect practices, an ever-growing trend is to purchase a cyber-security policy. These policies can be expensive, however, compared to the cost of a breach; it is a cost some practices are willing to incur. Estimates vary on the cost of a breach, but average estimates report $194 per patient record, according to the 2011 Cost of Data Breach Study by Ponemon Institute LLC. Policies can include the cost of notification and providing credit-monitoring services for those patients, plus the cost of any investigation that may be necessary. Consider any fines that may be assessed and the lost revenue your practice would experience due to the negative publicity.

Be sure to read these policies closely before choosing a vendor. Be certain the wording is clear about what is covered and what is not. For example, you don’t want to sign a policy that doesn’t cover the cost of notification because of a poorly worded policy. If you have no experience reading these types of policies, it may be advisable to have the policy reviewed by an attorney experienced in cyber-security policies before signing.

Other Sources

A complete assessment of your current environment is necessary, especially if mobile devices have been introduced since your last risk assessment. There are many tools available to assist you in a comprehensive examination. A very helpful tool can be found at www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security. This site was developed by the Office for Civil Rights and the Office of the National Coordinator for Health Information Technology in 2012. It will offer you tips and guidance to determining if your environment is following best practices in regards to security.

The way we practice medicine is changing rapidly. These exciting times provide us with more tools than ever to make patient care better and more efficient, but they also make security more challenging. With the proper assessment of our mobile environment and strict policies, we can continue to utilize the cutting edge of technology without compromising patient information. OP

Ms. Shaw is the Information Technology Manager at the Laurel Eye Clinic, which serves western and central Pennsylvania. She manages computer security and maintenance as well as the systems that collect and store patient information.