Mobile device security in healthcare setting
March 7, 2017 11:02 PM   Subscribe

I work for a county medical system that encompasses several hospitals and clinics. My immediate team does outreach in the community. We have been issued mobile devices to use during home visits, etc. Using these devices, we can access confidential medical records (we need to do this for our work). We weren't even instructed to use passwords on these devices. They are not encrypted in any way. What should I suggest to my boss?

Of interest:

- We are a kind of scrappy, underfunded organization where things have been cobbled together w/ various mergers. There is no corporate master above us. However, we are big enough and important enough in our community that we should have an organization-wide policy on this.

- I told my boss I'm worried about this. She agrees but is not a technical person herself. She and I both fear that if I reach out to the head of IT about this then he will simply tell our department we can't use mobile devices anymore. These devices make our work much, much more effective and I really don't want this to happen. (There are others in our system using mobile devices too anyway.)

- We're using a mix of ipads, iphones and Samsung phones.

- Right now, our boss just asked our team to at least put a password on our phones and ipads.

This is in part a technical question: What would be the correct solution to this? I told my boss I would research it.

The other part is a strategic question: I feel like I'm complicit in situation that puts us at risk of a leak of confidential information. How can I approach this to be most likely to successfully advocate for the right solution for my department and for the organization as a whole?
posted by anonymous to Computers & Internet (6 answers total) 3 users marked this as a favorite
I am a nurse and midwife and worked in QA/HIPPA for many years. If you are in the US, this is a major HIPPA violation that puts your organization and medical system at risk of massive fines and loss of the use of your devices. (At my hospital, a lost laptop or ipad that is unencrypted can bring the system fines >$100k). Our IT department prevents anyone from accessing work email without encryption software and password protection on mobile device. If you want to take patient records to chart at home, you need approval from IT/medical records and special equipment.

To more specifically answer your questions: the correct solution is to contact IT and request encrypted devices and/or give up the current ones if you're unable to encrypt them appropriately. I would also ask IT/Medical Records/Information Governance about what data can and cannot be communicated. (e.g., if you are using phones in the field to simply relay information to your office ("I saw pt JR and booked his appt") that may be acceptable as it contains no identifying information, but I would strongly recommend checking with your institutional guidelines).

I think you are right to think about complicity in this situation and would bring your boss some of the HIPPA guidelines and find out your institution's policies on fines and other penalties for violations. If your boss is not able to help, I would contact IT/etc. A breach of confidentiality can be expensive and often makes public news creating a poor reputation for institutions, in addition to a loss of trust with your community and patients, which can be hard to recover.

Feel free to PM me if it would be helpful.
posted by stillmoving at 12:03 AM on March 8, 2017 [3 favorites]

I work for a corporately owned hospital. Our Directors who have assigned work cell phones have a program installed by Corporate IT that makes their phones HIPPA compliant but for the life of me I can't think of the name of it right now. When I do I can come back to this post and let you know.

The other side to that program is that it allows IT to monitor their phones somehow, which is why they have a work phone and their personal phone separate. But if your organization owns those devices and they are only used for work (i.e. not someone's personal iPad or whatever), then that shouldn't be a problem.
posted by MultiFaceted at 2:17 AM on March 8, 2017

HIPAA requires your organization to designate a privacy officer and a security officer, whose job it is to think about these questions. Do you have these people? Were they involved in the decision to deploy these devices?

IANAL nor am I a HIPAA security officer, but I do work with medical data covered by HIPAA. Here are some best practices as I understand them:
  • all PHI should be encrypted at rest (iOS encrypts storage if you have a passcode set)
  • PHI should also be encrypted in transit, which means making sure whatever software you are using on the device to access the EMR data uses an encrypted connection. It also means you should not put PHI in e-mail without additional encryption (we use Virtru)
  • there should probably be a formal policy on password strength which forbids passwords like '1234'
  • you should have a plan for what to do if/when a device is lost or stolen. Ideally the organization will have the ability to perform a remote wipe of the device. Certainly you need to be able to revoke any credentials (e.g. login information for a web EMR interface) which may be stored on the device.
HIPAA does not forbid the use of mobile devices for PHI but you need to be thoughtful about the specifics.
posted by enn at 5:46 AM on March 8, 2017 [1 favorite]

She and I both fear that if I reach out to the head of IT about this then he will simply tell our department we can't use mobile devices anymore. These devices make our work much, much more effective and I really don't want this to happen.

Having a security breach that causes your patients to lose all trust in your organization will make your work much, more more ineffective. Talk to IT. (I have outreach workers using flip phones in the field. I absolutely get how not-ideal that is. Sharing people's private health information on non-encrypted, non-password-protected (!) devices is worse.)
posted by lazuli at 5:48 AM on March 8, 2017

"mobile device management" or MDM is the phrase you're looking for here. Airwatch is a big brand name. Agree with others that this is a massive problem waiting to bite you in the ass. Get it fixed ASAP.
posted by cosmicbandito at 6:39 AM on March 8, 2017

AIRWATCH!! That's what our hospital uses! Thanks cosmicbandito for jogging my memory!
posted by MultiFaceted at 8:46 AM on March 8, 2017

« Older logistics, financial considerations: marrying with...   |   I can google marriage counselors - but how does... Newer »
This thread is closed to new comments.