Risk managers and compliance professionals need to find a way to allow mobile device use in a manner that enhances productivity while, at the same time, securing the data being shared and ensuring the risks do not outweigh the benefits. Barbara Youngberg of Beecher Carlson investigates.
The explosion in the number of mobile devices, along with the many ways these devices can be used, is apparent in both personal and professional life. They enhance communication, facilitate business transactions, monitor fitness and diet, provide entertainment and perform a host of other services. In healthcare, mobile devices are becoming equally indispensable.
Mobile technology can enhance access to health information for providers and patients as well as assist in the provision and distribution of diagnostic and patient monitoring services. Mobile devices and related technology have created new ways for patients to interact with their providers and, in turn, ways that providers can interact with their colleagues. The goal of mobile technology use in healthcare is to seamlessly connect care experiences across the continuum and to facilitate communication during the many transitions in care.
According to the 2014 Mobile Devices Study by the Health Information Management Systems Society (HIMSS), it is predicted that by 2015 500 million smartphone users worldwide will be using a healthcare application. Almost 83 percent of the physicians who participated in a survey reported that they had downloaded at least one medical app. Another 33 percent of physicians and 75 percent of nurses reported that they used medical apps on smartphones daily as part of their work. Thirty-five percent of the responding hospitals reported that they offered medical apps to patients in the form of patient portals, telehealth services and various forms of remote monitoring.
Sixty-nine percent of providers most often use mobile technology to view patient information, while 65 percent report accessing web-based repositories and services to access healthcare information. Many organizations reported using mobile health for existing telehealth programs while others reported anticipating both expanding their electronic health record (EHR) technology and using mobile devices to enhance care across the continuum.
Risk managers, privacy and compliance professionals are tasked to find a way to allow mobile device use in a manner that enhances productivity while, at the same time, securing the data being shared through those devices and determining specific limits so that the risks do not outweigh the benefits.
What are the risks associated with mobile device use?
Many benefits can come from the use of mobile devices and many efficiencies can be created but, given the often highly private (and protected) nature of what is transmitted using these devices, there are also many risks. Without the existence of a secured network, which stores all of the information being shared, breaches in privacy can occur and can be very costly. Data breaches involving mobile devices are increasingly common.
"It is predicted that by 2015 500 million smartphone users worldwide will be using a healthcare application."
According to Mobile Data Security: Best Practices for Securing Your Mobile Workforce, a white paper published by mobile software company Accellion, in the past year, 80 percent of organizations have experienced a mobile security incident—60 percent of those organizations experienced a loss of $100,000 or more. In most large organizations, the reported losses reached $500,000 or more.
According to information gathered by Varonis, a provider of access, governance and retention solutions, and published by SC Magazine, mobile devices, especially bring your own devices (BYOD), have posed significant risks for organizations. For example, the company found that:
- 50 percent of employees report that someone at their company has lost a device with important data on it;
- 22 percent said that the lost device had security implications for the organization; and
- 86 percent of employees are “device obsessed,” using their personal devices to work both day and night.
In another survey, Understand the State of Data Security and Privacy: 2013 to 2014 conducted by Forrester Research, IT security decision-makers whose organizations had a data breach in the past 12 months were polled and reported that 36 percent of the breaches occurred due to “inadvertent misuse by the insider”. Of interest in this category was the fact that, in the public sector and in the healthcare industry, inadvertent misuse by insiders jumped to 44 percent. Thirty-two percent of the breaches occurred due to loss and/or theft of the device, ranking it the second leading cause of breaches.
Systemic and strategic risk reduction strategies
In order to reduce the risk of mobile device data breaches and to optimize the use of these tools while also keeping workers productive, one must adopt a proactive strategy. Similarly, designing systems that enhance the patients’ experience while not exposing them to privacy breaches requires careful thought and planning. As is often the challenge, enterprise risk managers will need to find a careful balance where appropriate tools are accessible when needed, but where a comprehensive organization-wide policy controls all aspects of mobile device use. The following goals should form the basis of this strategy:
Security of data is paramount
To assure provider productivity, patient access and data security, organizations should create private cloud-based file-sharing services to manage the sharing of files through a service that is fully under the control of the IT department.
- Education must be provided to all users so that they fully understand the risk that can be created if they fail to adhere to the organizations policies regarding data storage and file-sharing.
- The enterprise risk manager, chief privacy officer and IT staff should work together to create a private cloud-based sharing system which will facilitate the sharing of all necessary files through a system fully under the control of the IT and privacy staff.
- Since data may be passing to individuals outside the system, care should be taken to use encryption that is consistent with the standards set by National Institute of Standards and Technology (NIST), www.nist.gov.
Create secure ‘containers’
According to the Accellion white paper: “If personal devices are being used by providers, it is advisable to create secure containers for enterprise data. Storing work and patient-related data in a secure container shields that data from interference or malware infection that might come from personal data such as games and other consumer apps, photos, music tracks and personal documents received as attachments.
"Enterprise risk managers will need to find a careful balance where appropriate tools are accessible when needed, but where a comprehensive organization-wide policy controls all aspects of mobile device use."
“Secure containers make it easier for IT administrators to monitor and control shared business-related data without intruding on the privacy of employees who are using their personal mobile devices for work.”
Require strict password conventions
The organization’s IT department should be able to establish policies and procedures that specify the strength and duration of passwords which will be needed to access any mobile device. If passwords are not changed in a manner that is consistent with these policies, devices should be capable of being remotely disabled.
This ability to remotely disable devices will also be necessary in case they are lost, stolen or otherwise get into the hands of unauthorized individuals.
Create strict policies regarding the use and downloading of medical applications
The popularity of mobile health apps is evident. According to a report in Bloomberg BNA, as of March 2013 there were 97,000 mobile health applications available across major application download services and 59 percent of patients in emerging markets used mobile health applications and services.
Healthcare professionals must be advised of the risks in not only developing their own apps, but also of downloading apps which are made by others or are commercially available onto their own devices. Although the habit of downloading apps may be common in one’s personal life, when used for the delivery of healthcare, the risks can be significant and include unintended HIPAA violations and the introduction of malware which can compromise the integrity of enterprise-wide data.
A process should be in place where individuals can request approval of specific new apps. The review and approval of these apps can be part of a multidisciplinary process involving members of the legal, risk management, privacy and IT team. IT staff should have the authority to remotely disable apps that have been downloaded to personal devices without approval and which are used while conducting business for the enterprise.
Risk financing or risk transfer
Risk managers should review their cyber policy to make sure that all of the exposures related to the use of mobile devices are covered. Obviously, even if you are able to transfer some of the financial risks, you will need to be aware of the reputational risks that may be created when patients’ privacy has been breached. The goal should be to manage the risk rather than merely transfer it.
The regulation of mobile devices is complicated and requires input from many disciplines within the organization. No doubt, the use of mobile technology in healthcare will continue to grow. It will be paramount that organizations develop a strategy that evaluate the effectiveness and manage the risk without creating an undue burden for patients and providers.
Barbara Youngberg is a consultant for Beecher Carlson.
Barbara Youngberg, Beecher Carlson, US