Accounting for healthcare mobile security within the IT budget and maintaining HIPAA compliance are essential considerations in the current environment.
It can be daunting to choose the right mobile tools to help a healthcare organization stay innovative. It can be even more daunting though to ensure that mobile security remains a top priority and that PHI stays secure.
Healthcare IT leaders might see the value in implementing mobile options, but studies show that security is often a top concern.
How can entities properly budget for mobile options? What are the potential consequences if a HIPAA violation occurs? Why is employee training so critical for strong mobile security?
Four key considerations with mobile security. Organizations of all sizes must budget for cybersecurity, choose the right mobile tools, conduct regular employee training, and maintain HIPAA compliance with all devices.
Choosing the right mobile healthcare tool
Different mobile solutions will be beneficial at different healthcare organizations. Secure messaging might be necessary for larger hospital systems with specialty clinicians who need to communicate with patients. Smaller providers might not require the same mobile strategies.
Regardless, mobile security must be a key consideration throughout the entire decision-making process.
Direct secure messaging is becoming more popular, for example. DirectTrust is a non-profit trade alliance that facilitates secure HIE through the Direct Protocol. July 2017 numbers showed a 15 percent increase in the number of trusted Direct addresses able to share PHI.
There was also a reported 68 percent increase in the number of healthcare organizations served by DirectTrust health information service providers (HISPs) and engaged in Direct exchange.
The American Hospital Association’s Hospital & Health Networks (H&HN) Most Wired rankings showed that nearly three-quarters of the Most Wired hospitals offer secure messaging with clinicians on mobile devices.
Seventy-four percent said they use secure emails for patients and families to maintain contact with the care team when patients require ongoing monitoring at home. Sixty-two percent of respondents also said they can simplify the prescription renewal process by letting patients make the requests on mobile devices.
“The Most Wired hospitals are using every available technology option to create more ways to reach their patients in order to provide access to care,” AHA President and CEO Rick Pollack said in a statement. “They are transforming care delivery, investing in new delivery models in order to improve quality, provide access and control costs.”
Pagers are however still a popular tool for many healthcare organizations, according to a study published in the Journal of Hospital Medicine. Nearly 79 percent of respondents said they are provided pagers for communications, while 49 percent said they receive patient care–related (PCR) communication through pagers.
Fifty-three percent of 567 clinicians also said they received standard text messages once or more per day.
For secure messaging, 26 percent of 549 of those surveyed said that their organization had implemented a secure messaging option that was being utilized by some clinicians.
Overall, healthcare providers need to opt for mobile options that will aid staff members in daily operations without compromising data security.
Budgeting for necessary mobile security tools
Cybersecurity budget and resource constraints are often cited by providers as hindrances to data security. Healthcare organizations cannot expect to properly keep data secure if they do not have the necessary funds to purchase, implement, and utilize the right security tools.
With mobile security, this could include budgeting for mobile device management (MDM) solutions if BYOD is being used in a hospital. Or, a provider might need to ensure that it can afford to hire a CISO to help lead the security team.
A recent Spok survey that was administered by CHIME found that 56 percent of healthcare CIOs say that budget and resource constraints are the largest threat to patient data security. Ninety-five percent of respondents also said they were concerned about data becoming compromised, while approximately one-quarter stated they are unsure how much PHI is being shared unsecurely.
“Mobility and clinical process improvements are important to hospital leaders, and CIOs plan to make impactful changes,” the survey authors explained. “However, the execution remains a work in progress.”
Sixty-nine percent of those surveyed said mobile strategies were a key initiative to improving clinical and operational outcomes. The survey also found that 40 percent of CIOs are considering or planning to hire consultants in the next 12 months to aid in the mobile communications process.
However, a ZingBox survey from July 2017 revealed that some healthcare IT decision makers find traditional security solutions used for securing laptops and servers were also enough for IoT connected medical device security. This could indicate inconsistent approaches when it comes to choosing which investments are necessary for healthcare security.
Seventy percent of respondents said their traditional security solutions were enough, while nearly 75 percent added that they are confident or very confident that all devices connected to their network are protected.
Organizations need to have communication between the C-suite and IT teams, ensuring that everyone understands the areas in which stronger data security measures are required. Mobile security solutions can differ from traditional legacy options, and applicable privacy and security tools need to be budgeted for and implemented properly.
Implementing regular employee training
Once a mobile option has been chosen and then budgeted for, employees at all levels must be trained and educated on how to use it. Employees are often cited as a top security threat to an organization, as it only takes one individual to download a malicious link, have a smartphone stolen, or send PHI to the wrong email.
OCR’s July Cybersecurity Newsletter underlined the importance of data security training, especially as the threat landscape continues to evolve.
Understanding HIPAA compliance for mobile options
The HIPAA Security Rule does not require specific technology solutions when it comes to mobile device technical safeguards. HHS does require that entities implement reasonable and appropriate security measures for standard operating procedures.
For mobile security, this means for example that a hospital utilizing smart phones will need to implement applicable security measures for those devices. This could include having remote wipe capability. That way if a phone is lost or stolen, the hospital can delete any potentially sensitive information on the device before it can fall into the wrong hands.
“HHS recognizes that covered entities range from the smallest provider to the largest, multi-state health plan,” HHS explains on its site. “Therefore the Security Rule is flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments. What is appropriate for a particular covered entity will depend on the nature of the covered entity’s business, as well as the covered entity’s size and resources.”
Failing to adhere to HIPAA regulations with mobile devices could lead to heavy fines. OCR reached a $2.5 million settlement with Pennsylvania-based CardioNet in April 2017 for lacking mobile security safeguards.
“Mobile devices in the health care sector remain particularly vulnerable to theft and loss,” OCR Director Roger Severino said in a statement. “Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”
Mobile devices can assist healthcare organizations, but security cannot be an afterthought. Choosing the right tools, training employees, and focusing on HIPAA compliance will help covered entities find the right balance between innovation and security.
Source
