Protecting Health Information in the Era of Mobile Devices: The Practicalities & Problems of BYOD
I’m attending the mHIMSS Virtual Briefing: Securing Protected Health Information held today from 12PM ET-3:15PM ET online at HIMSSVirtual.org. The event features several sessions on the best practices for mobile device use, BYOD (Bring Your Own Device) policy and practice; secure use of social media; and secure provider-patient communication.
The virtual event focuses on the challenge of maintaining mobile security while taking advantage of new technology to more efficiently and cost-effectively track patient health, convert to EHRs, share patient information and more.
The first session is:
Protecting Health Information in the Era of Mobile Devices: The Practicalities and Problems of BYOD
12 PM-12:30 PM ET
Speaker: Adam H. Greene, JD, MPH, Partner, Davis, Wright and Tremaine, LLP
Co-Chair of DWT’s Health Information Practice
Former OCR Senior Advisor on HIT and Privacy
Description: While mobile computing platforms and devices have presented potentially lower costs and higher quality of service for healthcare businesses, the challenge still remains: 40 percent of security breaches occur today in relation to mobile devices.
- Overview of how health IT is being transformed by mobile device use.
- Assess the impact of the mobile platform on organizational privacy and security policies and procedures
- Identify best practices that healthcare providers can take to ensure PHI is secure with the use of mobile devices
Greene presented an example, partially speculative case study:
A doctor is presenting his research on a laptop (with PHI on it) in South Korea. While traveling, someone stole the doctor’s laptop. While no SSNs or esp. sensitive PHI was on laptop, it included LoJack technology, and when it went on the Internet, it was monitored and remotely wiped.
But what happened to the laptop before it went on the Internet? The hospital filed a breach report, and the OCR opened an investigation. After a breach, the OCR required documents from the hospital, including a copy of their risk assessment. They also asked a number of questions about the hospital…
OCR Questions Include:
- Where in the risk assessment do you address the risk of PHI going onto personal devices?
- What policies and procedures do you have regarding PHI going onto personal devices?
- What technical safeguards do you have to protect against PHI going onto personal devices?
After 1.5 million settlement with OCR, the hospital went into a three-year corrective action plan.
The moral of the story:
You can choose whether or not to have a BYOD policy, but you can’t choose whether to have a BYOD problem.
- Ignoring BYOD doesn’t make it go away
- The OCR expects a risk assessment to address risks of personal devices – they ask very detailed granular questions
- The risk management plan may include policy, procedures, training, inventory, technical controls, etc.
What BYOD approach works for your organization? (Based on risks you’re seeing, what kind of resources you have available…)
- Just prohibit the use of personal devices – set a policy of any PHI or confidential info on personal devices
- Train staff on the policy
- Include risk of ePHI on personal devices in the risk assessment/management plan
- Consider technical safeguards such as data loss prevention
- Consistently sanction violations
Benefits of Prohibiting BYOD
- Greater IT control of end devices – lock down devices so apps can’t be added without approval.
- Greater inventory control
- Standardization of end-user devices – making IT support easier
- Strong technical controls can allow greater control over PHI – data loss prevention can control where your PHI is located, keeping it all on enterprise devices
- Avoid issues of enforcing corporate policy on personal devices – can become problematic with wiping personal devices
Problems with Prohibition on BYOD
- Clinicians and others do not want to carry two phones
- Staff will gravitate to most effective form of communication, even if it violates policy – prohibiting texting on devices, although it’s the best form of communication between nurses, it will happen eventually despite violating policy
- Challenge of consistently applying sanctions
- Large risk of breach without strong technical controls
- Cost of providing enterprise‐owned devices – equipping everyone with a mobile device can add up
The Middle of the Road Solution
- Policy permitting ePHI on personal devices with appropriate approval – not just anyone can put PHI on any device. There should be a structured process in place for putting PHI on a device.
- IT ensures that device has authentication enabled, remote wipe enabled – password protected for authentication, and remote wipe based on lost or stolen devices, or even failed login attempts.
- Train staff on appropriate access, password requirements, and what to do if device is lost, stolen, or replaced – if upgrading, IT should wipe the device first
- Policy permitting ePHI on personal devices with appropriate approval
- Include use of personal devices in enterprise risk assessment and risk management plan
- Consider technical safeguards such as data loss prevention (to ensure ePHI is only going to approved devices)
Benefits of the Middle of the Road
- Workforce need only carry one device – much happier workforce
- Potentially lower costs by not furnishing mobile devices
Problems with the Middle of the Road
- Addressing inventory of devices is challenging – if it’s reasonable or appropriate. Consider what type of inventory you will have, and if you try to keep track of all approved devices.
- Dangers of other apps on device – What free software or applications are being downloaded, and can they potentially intercept data and send to third parties?
- Risk if staff do not follow password management policy – On a soft keyboard, good password management is particularly difficult.
- Challenge of enforcing policies (e.g., remote wipe) on personal devices – People likely will not want their personal devices wiped, even if stolen.
- Vulnerability if device is compromised before remote wipe occurs
Virtualization and Secure Tools
- Provide personal devices with virtual access to EHR, e‐mail, network files – only provide virtual access to applications, never put ePHI on the actual device
- Policy permitting use of personal devices to access ePHI only through appropriate methods – if you have virtualization, ensure that people know they should use that and not webmail that could temporarily put email on devices
- Consider whether to also add remote wiping and password requirements in case of data leakage onto devices
- Consider providing secure applications – Secure texting: There may be circumstances when you can text limited health information between clinicians, but the government typically looks down upon it. Look into secure texting options.
- Consider technical safeguards like data loss prevention to avoid ePHI going onto personal devices without appropriate knowledge
- Include personal devices in risk assessment and risk management plan
Benefits of Virtualization and Secure Tools
- Workforce need only carry one device
- Potentially lower costs by not furnishing mobile devices
- Keep ePHI centralized and more secure while allowing access – better grasp on where your PHI is located throughout the organization
- Provide tools that allow efficient work (e.g., texting) – you can potentially provide secure texting with a better idea of where information is going, and ensure that info is not being left on unprotected devices
Problems with Virtualization and Secure Tools
- Cost of virtualization and secure tools.
- What to do when staff need to work offline – will need to figure out how to let people work from a plane, or other place where they do not have Internet access
- Challenge of enforcing policies (e.g., remote wipe) on personal devices
- Data loss prevention – It will stop some PHI, it will mitigate risk, but it will not be perfect. With DLP, you can’t be entirely sure it will make its way out. DLP software can stop SSNs or keywords that indicate diagnostic information from being emailed or shared.
- Does all PHI on mobile devices need to be encrypted?
- The Security Rule makes it addressable; you must encrypt where appropriate and reasonable. You have to look at potential threats and risks in order to assess whether or not you need encryption. If you’ve got documentation showing it was reasonable not to encrypt certain information, you may have a case after a data breach. But certain information, such as SSNs, should be encrypted.
Everyone should figure out their own BYOD approach – what may work well for one organization may not work nearly as well for another organization. There are BYOD policies out there – mHIMSS.org, under /resource has a BYOD agreement that may be helpful for org to look at.
View a real case study of the use of a virtual environment to securely manage a BYOD environment without jeopardizing sensitive data, presented by Vice President and Chief Information Officer (CIO) Kirk Larson of the Children’s Hospital Central California: BYOD: From Concept to Reality
Healthcare Social Media