A recent story appeared in Becker”s Hospital Review on Mobile”s Impact on Hospital IT Security in 2013: How Your Institution Can Adapt to BYOD. In the article, written by Bill Ho, President of Biscom, he talks about both the barrage of new regulatory requirements, but also the widespread adoption of mobile technology.
In the article Mr. Ho cites a recent survey by Aruba Networks. According to the survey, 85 percent of facilities support their physicians” and staffs use of personal devices at work. By supporting this use, hospital employees and clinicians can:
- check their personal email accounts
- their work email
- review electronic medical records
- check drug interaction information
- use mobile secure file transfer mobile business apps to view lab results or radiology images
- provide signature approval on a treatment decision
- make practitioners more accessible and connected
- How can we best integrate personal devices while still maintaining our existing security policies.
- How do we support healthcare professionals who bring their own device into various medical settings while still maintaining the security and confidentiality of personal health information.
- Rogue applications installed by the clinician or other staff that could potentially access Personal Health Information (PHI) because their devices are now tied to the facilities network.
- Addressing the dual-use (personal, work) nature of mobile devices and tendency particularly for personal devices to eschew levels of security in favor of ease of use, simplicity and quick access.
- Shutting off access to synchronization type mobile business apps like Dropbox until there”s a way to manage them with centralized control, granular permissioning and integration with established authentication services.
1. Review your current security policies for web applications (CRM, email, portals), VPN and remote access. Most, if not all of these will apply to mobile devices as well.
2. Determine which devices you are willing to support — not all devices meet the security requirements of your healthcare organization, nor do you want to have to test all possible platforms. Also, physically inspect each device and make sure it hasn”t been jailbroken or rooted.
3. Set expectations clearly. IT may have to radically change physicians” mindsets. Yes, security adds additional layers to wade through, but what amazing challenges would a security breach cause?
4. Write clear and concise policies for all employees who want to use their personal devices. Have anyone participating in BYOD sign your terms of use. Those who choose not to follow your policies should not expect to use their device.
5. Make a personal identification number, or other client authentication, mandatory. This hampers ease of use, but is the first line of defense against a lost device.
6. Enforce encryption of data at rest; any mobile business apps that download and store data on the device should protect that data. If a PIN or passcode is cracked, you want to make sure that data is still protected.
7. With hundreds of thousands of mobile business apps available, which will you permit? Are there any specific applications or class of applications you want to keep off the device? This can be hard to do, but malware and rogue mobile business apps can do serious damage without users realizing it.
8. Provide training to physicians and hospital staff to make sure they understand how to correctly use their applications, make the most of their mobile capabilities and watch for suspicious activity. Once you’2013-07-15 06:49:54’ve embraced BYOD, promote it.
9. As mobile devices become conduits for information to flow, look for mobile business apps that include auditability, reporting and centralized management. Many current mobile business apps will not have this feature, but those that do will make it easier to trace back any potential breaches.
10. Consider mobile device management software that can provide secure client applications like email and web browsers, over the air device application distribution, configuration, monitoring and remote wipe capability. Note that some MDM providers require applications to be re-written specifically to support their platform, so you may find some of your applications will not run in the MDM solution you pick.
As a way of expanding on Mr. Ho”s 10th point. I would encourage you that rather than investing in multiple different mobile business apps all created by unknown parties, that you strongly identify the benefits you most need in your enterprise mobile mobile business apps and utilize a platform and development team like http://www.snappii.com where you can either design your mobile business apps yourself, or we can work with your IT department to help you ensure the proper data is available for the specific mobile business apps that need it, but also ensure is designed to complement your existing IT security protocols.
If you have more questions on enterprise mobile app development for use in a medical environment as part of BYOD policies, while continuing to maintain, HIPPA and PHI compliance, don”t hesitate to send me an email.