Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

The Value of Standardizing Mobile Devices in Your Healthcare Organization

Posted on February 10, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Before becoming a full time healthcare IT blogger, I worked doing system administration and top to bottom IT support (I am @techguy on Twitter after all). While that now seems like somewhat of a past life, it never ceases to amaze me how the lessons that applied to technology 10 years ago come around again 10 years later.

A great example of this is in the devices an organization purchases. I learned really early on in my technology career the importance of creating a standard set of products that we would support as an IT organization. This was true when ordering desktop computers, laptops, printers, and even servers. The benefits to doing so were incredible and most technology people understand the benefits.

You can create a standard image which you put on the device. If one device breaks you can easily swap it for a similar device or use parts from two broken down devices to make one that works. When someone calls for support, with a standard set of devices you can more easily provide them the support they need.

Another one of the unseen benefits of setting and sticking to a standard set of devices is you can then often leverage the vendor provided management tools for those devices instead of investing in an expensive third party solution. This can be really powerful for an organization since the device management software that’s available today has gotten really good.

What’s unfortunate is that the way mobile devices were rolled out in healthcare, many organizations forgot this important lesson and they’ve got a bit of a hodgepodge of devices in their organization. I encourage these organizations to get back to creating and sticking to a standard set of devices when purchasing mobile devices. No doubt you’ll get a little backlash from people who like to do their own thing, but the cost of providing support and maintenance for a potpourri of devices is just not worth it.

What’s been your organization’s mobile device strategy? Have you created and stuck to a standard device or do you have a mix of devices?

Securing Mobile Devices in Healthcare

Posted on February 8, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This post is sponsored by Samsung Business. All thoughts and opinions are my own.

When you look at healthcare security on the whole, I think everyone would agree that healthcare has a lot of work to do. Just taking into account the top 5 health data breaches in 2015, approximately 30-35% of people in the US have had their health data breached. I’m afraid that in 2016 these numbers are likely going to get worse. Let me explain why I think this is the case.

First, meaningful use required healthcare organizations to do a HIPAA risk assessment. While many organizations didn’t really do a high quality HIPAA risk assessment, it still motivated a number of organizations to do something about privacy and security. Even if it wasn’t the step forward many would like, it was still a step forward.

Now that meaningful use is being replaced, what other incentive are doctors going to have to take a serious look at privacy and security? If 1/3 of patients having their records breached in 2015 isn’t motivating enough, what’s going to change in 2016?

Second, hackers are realizing the value of health data and the ease with which they can breach health data systems. Plus, with so many organizations going online with their EHR software and other healthcare IT software, these are all new targets for hackers to attack.

Third, while every doctor in healthcare had a mobile device, not that many of them accessed their EHR on their mobile device since many EHR vendors didn’t support mobile devices very well. Over the next few years we’ll see EHR vendors finally produce high quality, native mobile apps that access EHR software. Once they do, not only will doctors be accessing patient data on their mobile device, but so will nurses, lab staff, HIM, etc. While all of this mobility is great, it creates a whole new set of vulnerabilities that can be exploited if not secured properly.

I’m not sure what we can do to make organizations care about privacy and security. Although, once a breach happens they start to care. We’re also not going to be able to stem the tide of hackers being interested in stealing health data. However, we can do something about securing the plethora of mobile devices in healthcare. In fact, it’s a travesty when we don’t since mobile device security has become so much easier.

I remember in the early days of smartphones, there weren’t very many great enterprise tools to secure your smartphones. These days there are a ton of great options and many of them come natively from the vendor who provides you the phone. Many are even integrated into the phone’s hardware as well as software. A good example of this is the mobile security platform, Samsung KNOX™. Take a look at some of its features:

  • Separate Work and Personal Data (Great for BYOD)
  • Multi-layered Hardware and Software Security
  • Easy Mobile Device Management Integration
  • Enterprise Grade Security and Encryption

It wasn’t that long ago that we had to kludge together multiple solutions to achieve all of these things. Now they come in one nice, easy to implement package. The excuses of why we don’t secure mobile devices in healthcare should disappear. If a breach occurs in your organization because a mobile device wasn’t secure, I assure you that those excuses will feel pretty hollow.

For more content like this, follow Samsung on Insights, Twitter, LinkedIn , YouTube and SlideShare

Wearable Health Trackers Could Pose Security Risks

Posted on February 1, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Last October, security researchers made waves when they unveiled what they described as a 10-second hack of a Fitbeat wearable health tracker. At the Hack.Lu 2015 conference, Fortinet security researcher Axelle Apvrille laid out a method for hacking the wearable through its Bluetooth radio. Apparently, Aprville was able to infect the Fitbit Flex from as much as 15 feet away, manipulate data on the tracker, and use the Flex to distribute his code to a computer.

Fitbit, for its part, denied that its devices can serve as vehicles for infecting users with malware. And Aprville himself admitted publicly that his demonstration was more theoretical than practical. In a tweet following the conference, he noted that he had not demonstrated a way to execute malicious code on the victim’s host.

But the incident does bring attention to a very serious issue. While consumers are picking up health trackers at a breathless pace, relatively little attention has been paid to whether the data on these devices is secure. Perhaps even more importantly, too few experts are seeking ways to prevent these devices can be turned into a jumping-off point for malware. After all, like any other lightly-guarded Internet of Things device, a wearable tracker could ultimately allow an attacker to access enterprise healthcare networks, and possibly even sensitive PHI or financial data.

It’s not as though we aren’t aware that connected healthcare devices are rich hunting grounds. For example, security groups are beginning to focus on securing networked medical devices such as blood gas analyzers and wireless infusion pumps, as it’s becoming clear that they might be accessible to data thieves or other malicious intruders. But perhaps because wearable trackers are effectively “healthcare lite,” used almost exclusively by consumers, the threat they could pose to healthcare organizations over time hasn’t generated a lot of heat.

But health tracker security strategies deserve a closer look. Here’s some sample suggestions on how to secure health and fitness devices from Milan Patel, IoT Security Program Director at IBM:

  • Device design: Health tracker manufacturers should establish a secure hardware and software development process, including source code analysis to pinpoint code vulnerabilities and security testing to find runtime vulnerabilities. Use trusted manufacturers who secure components, and a trusted supply chain. Also, deliver secure firmware/software updates and audit them.
  • Device deployment:  Be sure to use strong encryption to protect privacy and integrity of data on the device, during transmission from device to the cloud and on the cloud. To further control device data, give consumers the ability to set up user and usage privileges for their data, and an option to anonymize the data.Secure all communication channels to protect against data change, corruption or observation.
  • Manage security:  Include trackers in the set of technology being monitored, and set alerts for intrusion. Audit logging is desirable for the devices, as well as the network connections and the cloud. The tracker should ideally be engineered to include a fail-safe operation — dropping the system down to incapability, safely — to protect against attacks.

This may sound like a great deal of effort to expend on these relatively unsophisticated devices. And at present, it just may be overkill. But it’s worth preparing for a world in which health trackers are increasingly capable and connected, and increasingly attractive to the attackers who want your data.

NIST Goes After Infusion Pump Security Vulnerabilities

Posted on January 28, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As useful as networked medical devices are, it’s become increasingly apparent that they pose major security risks.  Not only could intruders manipulate networked devices in ways that could harm patients, they could use them as a gateway to sensitive patient health information and financial data.

To make a start at taming this issue, the National Institute of Standards and Technology has kicked off a project focused on boosting the security of wireless infusion pumps (Side Note: I wonder if this is in response to Blackberry’s live hack of an infusion pump). In an effort to be sure researchers understand the hospital environment and how the pumps are deployed, NIST’s National Cybersecurity Center of Excellence (NCCoE) plans to work with vendors in this space. The NCCoE will also collaborate on the effort with the Technological Leadership Institute at the University of Minnesota.

NCCoE researchers will examine the full lifecycle of wireless infusion pumps in hospitals, including purchase, onboarding of the asset, training for use, configuration, use, maintenance, decontamination and decommissioning of the pumps. This makes a great deal of sense. After all, points of network connection are becoming so decentralized that every touchpoint is suspect.

The team will also look at what types of infrastructure interconnect with the pumps, including the pump server, alarm manager, electronic medication administration record system, point of care medication, pharmacy system, CPOE system, drug library, wireless networks and even the hospital’s biomedical engineering department. (It’s sobering to consider the length of this list, but necessary. After all, more or less any of them could conceivably be vulnerable if a pump is compromised.)

Wisely, the researchers also plan to look at the way a wide range of people engage with the pumps, including patients, healthcare professionals, pharmacists, pump vendor engineers, biomedical engineers, IT network risk managers, IT security engineers, IT network engineers, central supply workers and patient visitors — as well as hackers. This data should provide useful workflow information that can be used even beyond cybersecurity fixes.

While the NCCoE and University of Minnesota teams may expand the list of security challenges as they go forward, they’re starting with looking at access codes, wireless access point/wireless network configuration, alarms, asset management and monitoring, authentication and credentialing, maintenance and updates, pump variability, use and emergency use.

Over time, NIST and the U of M will work with vendors to create a lab environment where collaborators can identify, evaluate and test security tools and controls for the pumps. Ultimately, the project’s goal is to create a multi-part practice guide which will help providers evaluate how secure their own wireless infusion pumps are. The guide should be available late this year.

In the mean time, if you want to take a broader look at how secure your facility’s networked medical devices are, you might want to take a look at the FDA’s guidance on the subject, “Cybersecurity for Networked Medical Devices Containing Off-the-Shelf Software.” The guidance doc, which was issued last summer, is aimed at device vendors, but the agency also offers a companion document offering information on the topic for healthcare organizations.

If this topic interests you, you may also want to watch this video interview talking about medical device security with Tony Giandomenico, a security expert at Fortinet.

Is Fitbit a Digital Health Solution?

Posted on January 6, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

As I’ve been making the rounds of Digital Health at CES (technically the show officially starts today), I’ve run into an extraordinary amount of digital health sensors and tracking devices. Some of them are me too copycats of the already flooded fitness trackers. Others are doing really incredible stuff around ecg, muscle mass, respiratory, heart rate, and much more.

One conversation that I’ve had multiple times is that Fitbit and Fitness trackers like it really aren’t a digital health solution. This isn’t really said as a knock to Fitbit. Almost always this statement is proceeded by a comment about how Fitbit has done some really great things. However, the question really revolves around whether Fitbit is a healthcare application or whether it’s just a fun consumer device.

There’s no argument that Fitbit has been extremely successful. It’s also created mainstream interest in tracking your health. As a consumer application it’s been a big hit. The numbers don’t lie. However, many would equate what it’s accomplished in healthcare to something like the Wii Fit as opposed to something that impacts clinical care like a medical device. It’s more of a game that provides some health benefits than it is a clinical device. I even heard one person take it as far as to compare it to running shoes. If you did a study, running shoes probably improve the health of many people since it makes it easier to exercise. Does that make it a health solution?

Like I said, I don’t think anyone is arguing that what Fitbit is doing is bad. I also can’t remember Fitbit ever really claiming to influence clinical care. It’s the rest of the world that’s drawing that conclusion for them. Countless are the number of articles that talk about a patient sharing their Fitbit data with their doctor.

In response to those articles doctors have generally responded, why do I care about their Fitbit data? I think the reason doctors react this way is because the Fitbit data is limited and really doesn’t affect the clinical care for most people. Maybe there’s some isolated cases, but for the majority of Americans it wouldn’t change the care they receive.

While this is true for Fitbit, there is a wave of other tracking devices that could (and I believe will) impact clinical care. It’s easy to see how a continuous ecg monitor that’s FDA cleared (ie. Doctors trust the data) could impact clinical care. This is actually true clinical data that doctors will care about seeing.

At this point I think it’s true that majority of doctors don’t want to get your Fitbit data. It’s not clinically relevant. However, that’s going to change rapidly as health sensors continue to evolve. Maybe Fitbit will find some clinical relevancy in the data they produce. If not, a wide variety of other vendors are going to create clinically relevant data that doctors will not only want in their EHR, but they’re going to demand it.

The only question I have now is, should we be building the highways for that data now so that we can easily turn on these new sources of clinically relevant data?

Side Note: I’ll be doing a Digital Health video blab from CES 2016 if you’d like to join.

Tiny Budgets Undercut Healthcare’s Cyber Security Efforts

Posted on January 4, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

This has been a lousy year for healthcare data security — so bad a year that IBM has dubbed 2015 “The Year of The Healthcare Security Breach.” In a recent report, Big Blue noted that nearly 100 million records were compromised during the first 10 months of this year.

Part of the reason for the growth in healthcare data breaches seems to be due to the growing value of Protected Health Information. PHI is worth 10x as much as credit card information these days, according to some estimates. It’s hardly surprising that cyber criminals are eager to rob PHI databases.

But another reason for the hacks may be — to my way of looking at things — an indefensible refusal to spend enough on cybersecurity. While the average healthcare organization spends about 3% of their IT budget on cybersecurity, they should really allocate 10% , according to HIMSS cybersecurity expert Lisa Gallagher.

If a healthcare organization has an anemic security budget, they may find it difficult to attract a senior healthcare security pro to join their team. Such professionals are costly to recruit, and command salaries in the $200K to $225K range. And unless you’re a high-profile institution, the competition for such seasoned pros can be fierce. In fact, even high-profile institutions have a challenge recruiting security professionals.

Still, that doesn’t let healthcare organizations off the hook. In fact, the need to tighten healthcare data security is likely to grow more urgent over time, not less. Not only are data thieves after existing PHI stores, and prepared to exploit traditional network vulnerabilities, current trends are giving them new ways to crash the gates.

After all, mobile devices are increasingly being granted access to critical data assets, including PHI. Securing the mix of corporate and personal devices that might access the data, as well as any apps an organization rolls out, is not a job for the inexperienced or the unsophisticated. It takes a well-rounded infosec pro to address not only mobile vulnerabilities, but vulnerabilities in the systems that dish data to these devices.

Not only that, hospitals need to take care to secure their networks as devices such as insulin pumps and heart rate monitors become new gateways data thieves can use to attack their networks. In fact, virtually any node on the emerging Internet of Things can easily serve as a point of compromise.

No one is suggesting that healthcare organizations don’t care about security. But as many wiser heads than mine have pointed out, too many seem to base their security budget on the hope-and-pray model — as in hoping and praying that their luck will hold.

But as a professional observer and a patient, I find such an attitude to be extremely reckless. Personally, I would be quite inclined to drop any provider that allowed my information to be compromised, regardless of excuses. And spending far less on security than is appropriate leaves the barn door wide open.

I don’t know about you, readers, but I say “Not with my horses!”

Solving Medical Device Interoperability – Is Qualcomm Building that Platform?

Posted on September 15, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

If you’ve spent some time in the mHealth and mobile health space (which are basically the same thing), then you’ve likely run into Qualcomm. They’ve made a big investment in that space with their Qualcomm Life initiative together with their 2Net platform that helps home health devices connect and share data. In many ways it made a lot of sense for a wireless provider (mostly chips from my understanding) to get involved in this space since it was a way for them to sell more chips. It seems like every new medical device needs some wireless technology embedded in it. On the other hand it sometimes felt awkward since Qualcomm really doesn’t directly sell products to healthcare organizations or consumers.

Many people probably missed the announcement that Qualcomm Life acquired Capsule Tech. A lot of people in healthcare don’t know about Capsule Tech. Even fewer probably know about Qualcomm Life. However, Capsule Tech has done a great job building a business around medical device management. Capsule Tech is known as the black box under the hospital bed that captures all the medical device data in a hospital room and sends that data where it needs to go. They’ve recently expanded beyond the black boxes into things like data analytics, but at their core they’re all about collecting and sharing medical device data.

When you think about it from that perspective, that’s kind of what Qualcomm Life has been doing with home health devices and their 2Net platform. They’re collecting and sharing home health data where it needs to go.

As you look at a combined company, you can easily see a platform for medical device data starting to form. It will take some time for them to make it a reality, but you can see how Capsule together with Qualcomm Life could become the hub of medical device data. Now they have expertise in hospital grade medical devices and more patient focused home health devices as well. I can’t think of any other organization that’s merging the two like they could do. Some specific healthcare organizations are doing it on their own, but not a vendor.

Kevin Phillips, VP of Marketing and Product Management at Capsule Tech, told me that many of their customers were asking them for medical device solutions that reached into the home. It makes sense that a hospital using Capsule Tech for their enterprise medical devices would turn to them for their home health efforts as well. Now that Capsule Tech is part of Qualcomm Life, they’ll have a suite of solutions they can make available to their hospital customers.

From the 2Net partner perspective, Capsule Tech brings a large number of healthcare organizations to the table that could now consider buying their wireless health solutions. The key is going to be how well Qualcomm can integrate their 2Net platform with Capsule Tech. Capsule Tech has integrated with pretty much all of the major EHR vendors out there. Can Qualcomm leverage these EHR integrations to the benefit of their 2Net partners?

I asked this very question of Dr. James R. Mault, VP and Chief Medical Officer of Qualcomm Life. He danced around the subject citing the EHR blocking that was highlighted by ONC earlier this year and how many EHR vendors and health systems have made it really hard to create these type of integrations. However, Dr. Mault also described how there’s been some major changes recently in this regard thanks to the push towards value based care and reduced hospital readmissions. Organizations are realizing they have to start opening up. I’d describe his answer as hopeful, but realistic when it comes to the challenges they face with EHR integrations. If Qualcomm Life could offer their partners a path to the EHR through Capsule Tech, that would be a real coup.

At the end of the day, the proof is in the pudding. This conceptual medical device data sharing platform across the healthcare enterprise and home health sounds great. I’ll be interested in how Qualcomm Life and Capsule Tech do at executing it. Are hospitals really ready to purchase the home health products? Will these solutions help them in their value based reimbursement, ACO, and/or reduced hospital readmission efforts? It’s going to be interesting to watch and see which Qualcomm Life partners are of interest to the hospital market. I told them I’d follow up at HIMSS 2016 to see how they’re doing.

$10 Finger Stick Blood Tests Illustrate New Quantified Future

Posted on July 3, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’ve often talked about the variety of health sensors that are quantifying everything about us and how that’s going to change healthcare as we know it. As we have more information about ourselves, it’s impossible for us to keep doing the same things we’ve been doing. One of the challenges we’ve faced with this change is that we need access to the blood to really do quality testing. No one wants to do a venous blood draw to regularly monitor their health data.

This is why I’m so interested in what the quite secretive Theranos is doing with their finger stick blood tests. Yesterday, the big news hit that Theranos got their first FDA clearance for their herpes simplex 1 virus IgG test. Although, as MedCityNews notes, this is the first of 100 pre-submissions they have underway with the FDA.

This is exciting news, but this part of the MedCityNews article is even more exciting for me:

Its HSV-1 test costs $9.07 – one of 153 tests the company says it makes that cost less than $10.

This is a great price point for a lab test and we’d all benefit from this massive decrease in price. I’m still not sure Theranos should have a $9 billion valuation. They still have a long way to go with the FDA, but if they’re able to execute then maybe that valuation isn’t that crazy after all.

Regardless of how Theranos does as a business, I think we’re going to see hundreds of companies like Theranos that continue to make testing more affordable. That’s going to change how we approach healthcare.

Emerging Health Apps Pose Major Security Risk

Posted on May 18, 2015 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As new technologies like fitness bands, telemedicine and smartphone apps have become more important to healthcare, the issue of how to protect the privacy of the data they generate has become more important, too.

After all, all of these devices use the public Internet to broadcast data, at least at some point in the transmission. Typically, telemedicine involves a direct connection via an unsecured Internet connection with a remote server (Although, they are offering doing some sort of encryption of the data that’s being sent on the unsecured connection).  If they’re being used clinically, monitoring technologies such as fitness bands use hop from the band across wireless spectrum to a smartphone, which also uses the public Internet to communicate data to clinicians. Plus, using the public internet is just the pathway that leads to a myriad of ways that hackers could get access to this health data.

My hunch is that this exposure of data to potential thieves hasn’t generated a lot of discussion because the technology isn’t mature. And what’s more, few doctors actually work with wearables data or offer telemedicine services as a routine part of their practice.

But it won’t be long before these emerging channels for tracking and caring for patients become a standard part of medical practice.  For example, the use of wearable fitness bands is exploding, and middleware like Apple’s HealthKit is increasingly making it possible to collect and mine the data that they produce. (And the fact that Apple is working with Epic on HealthKit has lured a hefty percentage of the nation’s leading hospitals to give it a try.)

Telemedicine is growing at a monster pace as well.  One study from last year by Deloitte concluded that the market for virtual consults in 2014 would hit 70 million, and that the market for overall telemedical visits could climb to 300 million over time.

Given that the data generated by these technologies is medical, private and presumably protected by HIPAA, where’s the hue and cry over protecting this form of patient data?

After all, though a patient’s HIV or mental health status won’t be revealed by a health band’s activity status, telemedicine consults certainly can betray those concerns. And while a telemedicine consult won’t provide data on a patient’s current cardiovascular health, wearables can, and that data that might be of interest to payers or even life insurers.

I admit that when the data being broadcast isn’t clear text summaries of a patient’s condition, possibly with their personal identity, credit card and health plan information, it doesn’t seem as likely that patients’ well-being can be compromised by medical data theft.

But all you have to do is look at human nature to see the flaw in this logic. I’d argue that if medical information can be intercepted and stolen, someone can find a way to make money at it. It’d be a good idea to prepare for this eventuality before a patient’s privacy is betrayed.

An Important Look at HIPAA Policies For BYOD

Posted on May 11, 2015 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Today I stumbled across an article which I thought readers of this blog would find noteworthy. In the article, Art Gross, president and CEO at HIPAA Secure Now!, made an important point about BYOD policies. He notes that while much of today’s corporate computing is done on mobile devices such as smartphones, laptops and tablets — most of which access their enterprise’s e-mail, network and data — HIPAA offers no advice as to how to bring those devices into compliance.

Given that most of the spectacular HIPAA breaches in recent years have arisen from the theft of laptops, and are likely proceed to theft of tablet and smartphone data, it seems strange that HHS has done nothing to update the rule to address increasing use of mobiles since it was drafted in 2003.  As Gross rightly asks, “If the HIPAA Security Rule doesn’t mention mobile devices, laptops, smartphones, email or texting how do organizations know what is required to protect these devices?”

Well, Gross’ peers have given the issue some thought, and here’s some suggestions from law firm DLA Piper on how to dissect the issues involved. BYOD challenges under HIPAA, notes author Peter McLaughlin, include:

*  Control:  To maintain protection of PHI, providers need to control many layers of computing technology, including network configuration, operating systems, device security and transmissions outside the firewall. McLaughlin notes that Android OS-based devices pose a particular challenge, as the system is often modified to meet hardware needs. And in both iOS and Android environments, IT administrators must also manage users’ tendency to connected to their preferred cloud and download their own apps. Otherwise, a large volume of protected health data can end up outside the firewall.

Compliance:  Healthcare organizations and their business associates must take care to meet HIPAA mandates regardless of the technology they  use.  But securing even basic information, much less regulated data, can be far more difficult than when the company creates restrictive rules for its own devices.

Privacy:  When enterprises let employees use their own device to do company business, it’s highly likely that the employee will feel entitled to use the device as they see fit. However, in reality, McLaughlin suggests, employees don’t really have full, private control of their devices, in part because the company policy usually requires a remote wipe of all data when the device gets lost. Also, employees might find that their device’s data becomes discoverable if the data involved is relevant to litigation.

So, readers, tell us how you’re walking the tightrope between giving employees who BYOD some autonomy, and protecting private, HIPAA-protected information.  Are you comfortable with the policies you have in place?

Full Disclosure: HIPAA Secure Now! is an advertiser on this website.