Many healthcare organizations are ramping up their use of mobile devices before they have appropriate privacy and security policies, procedures and technologies in place, some experts say.
Every "expert" should be saying this, not just some. There should be nothing surprising about this "cart before the horse" situation. You must have a context in which to write and then apply a policy: no point in setting up do's and don'ts if you can't first precisely define what either is.
One must recognize that policies are like laws in this way: a law is drawn up and installed 99% of the time after the act it outlaws has been committed, probably several times. Both are by their very nature retroactive in the sense that the act itself creates the context and the conditions by and through which to frame the law or policy - to attempt to do it the other way round would create a policy in a vacuum, which would be quite ill-suited for application.
The user-driven influx of mobile devices that is forcing healthcare organizations to contend with mobility, presence, wireless, etc is reflective of what other sectors are also dealing with (BYOD). We consult on this matter and have been doing so for years. We are Board Certified by ASIS International & ISACA, licensed by The State of Texas. Contact us today for a security assessment and our compliance services offerings especially for the Houston Medical Community.
The only smart approach to this situation is to recognize it will force its way into your enterprise, whether you want it to or not (especially true if it is the younger docs that are the force behind it). The smart CTO/CIO will realize this (hopefully has already) and will reach out to embrace it, even (gently) advocate for it. The question becomes "how can we best enable the effective and secure use of this to add capability and functionality that serves our community?" The CTO/CIO is expected to enable, not disable.
To address the mobile onslaught with a "No, we will not allow its use" will very likely get the CxO marginalized and place them off the "Trusted Ally" list. It is not unlike the logic behind "keeping one's friends close, and keeping one's enemies closer".
Houston Compliance Services, IT Audit, Risk Assessment, & Information Security by State Licensed & Board Certified Security Experts
What About Texting?
The explosion in the use of texting among physicians and nurses is creating new security issues. For example, some answering services send to a doctor's smart phone an unencrypted text message containing a patient's name, phone number and symptoms, which creates risks for privacy violations, notes Adam Kehler, quality and security specialist at the consultancy Quality Insights of Pennsylvania.
"So a risk assessment has to go beyond just electronic health records" when sizing up risks to protected health information, he stresses.
While it investigates secure texting technologies, Adventist Health System has banned communicating patient-specific information through texting, says Sharon Finney, corporate data security officer at the 44-hospital system.
Mobile Applications and Malware
Another area of risk involved in using the latest smart phones is exposure to malware, says Jacob DeLaRosa, M.D, a cardiovascular surgeon at the Portneuf Medical Center, Idaho State University. He recently downloaded an application designed to help him calculate the Body Mass Index that turned out to include a virus that automatically sent messages about Viagra to his contacts. When selecting new apps, "you have to assume that they're not secure," Gallagher stresses. Healthcare organizations must test-drive all apps before clinicians are allowed to use them and must educate users on the necessary security provisions tied to new apps.
By year's end, HHS plans to offer videos, tip sheets and other guidance on security for mobile devices, says Joy Pritts, ONC's chief privacy officer. "Given the rapid adoption of mobile devices against the backdrop of the breach incidents reported, there's been a growing concern about the use of these devices because of their vulnerability," Pritts says. "The mobile device privacy and security good practices project is one of the ways we hope to address these concerns."
281-733-2422
