With doctors among the biggest fans of smartphones around, hospitals and medical practices are having to face the reality that Bring Your Own Device is here to stay. The question is, is BYOD so hard to manage that it all but guarantees HIPAA breaches?
On the one hand, BYOD seems to have arrived to stay. According to a recent report by KLAS Research surveying 105 CIOs, IT specialits and physicians, 70 percent said they used mobile devices to access their EMRs. Even this small group was accessing virtually every major enterprise EMR via mobile, reports MobiHealthNews.
But the pressures on hospitals to corral BYOD security gaps are growing. Hospitals will soon have to provide increased protection of patient health information under Meaningful Use Stage 2. And the HHS Office of Civil Rights will be doing stepped up HIPAA-compliance audits, which gives hospitals even less leeway than they’d have had otherwise.
Of course, hospitals have been dealing with doctors bringing one device — a laptop — for quite some time. One might think this would have prepared hospitals for dealing with security-hole-ridden portable devices that staff and clinicians bring to work. But as we all know, laptops have proven to be major sources of security breaches, most typically by being stolen when loaded down with unencrypted data.
BYOD on the mobile side is if anything a riskier proposition. For one thing, doctors and executive staff are likely to own more than one device, such as a phone and a tablet, multiplying the risk that an unguarded device could be stolen and bled for information. And managing mobile devices calls for IT to support two additional operating systems (iOS and Android) configured in whatever way the user prefers.
Folks, I know I’m not saying anything crashingly original, but I’d argue it’s worth repeating: It’s time for hospitals to stop waffling and develop comprehensive protocols for BYOD use. It’s clear that left alone, the problem is going to get worse, not better.
Hey John,
great to see you this week at mHealth. Great question you pose here, and YES, it absolutely can be done.
Kirk Larson, CIO Children’s Hospital Central California shares a great video presentation of how they implemented HIPAA compliant BYOD:
http://www.onlinetech.com/events/fall-into-it (scroll down to the 2nd video)
thanks!
April
[…] with which EMRs can be accessed on mobile devices and tablets will lead to HIPAA violations and security breaches. Similar concerns have been raised over video-conferencing software such as Skype, which offers […]
BYOD can absolutely be done, but it takes a solid effort to do it correctly.
The real question is should it be done?
How much productivity loss is there with BYOD?
Who’s fault is it when that device gets destroyed at work?