Workarounds undermine BYOD policies

Building systems in concert with privacy and security policies and procedures is an evolving process
By Frank Irving
03:01 PM

In June 2013, Hahnemann University Hospital in Philadelphia took the ambitious step of simultaneously going live with an EHR system and a BYOD policy. After 14 years on a legacy EHR, the shift to a new system and access to it from hundreds of employee-owned devices happened all at once.

The dual rollout transpired smoothly, in part because a virtual environment was established, with no data-access applications installed on the mobile devices.

"There is no protected health information on any device," said Thompson Boyd, MD, a Hahnemann internist and physician liaison – a role he describes as being much like the chief medical information officer. "You don't download files, but you can get to the electronic record as if you were on a desktop."

The hospital's success contrasts with an industry-wide problem: When caregivers have trouble properly using systems, they're likely to devise "work-arounds" to bypass standard processes and procedures. And in doing so, they may compromise patient data privacy and security.

That issue will be explored during "Risky Business: Mitigating mHealth Workarounds with Usable Security” on Sunday, Dec. 7, at the mobile Privacy & Security Symposium at the mHealth Summit 2014. Boyd will moderate the session.

Boyd is one of more than 20 privacy and security experts from leading healthcare, academic and government organizations who will speak at the symposium. Speakers will share best practices, case studies and advice to help providers address BYOD, malware, medical device security and other prominent mobile privacy and security challenges and threats.

"I think workarounds in general could relate to poor design,” Boyd said. "If there is a reason for people to take a shortcut, it should be assessed during testing, when you really need to lock things down.”

An example might be a free-text area for noting the reason a patient is receiving a chest X-ray. A physician in a hurry might simply leave "reason" box blank instead of typing in the appropriate information.

"It's better to have a roll-down box where only those things that would be appropriate for a chest X-ray would appear," Boyd said. "The physician simply picks the right one, and actually can't pick the wrong one."

He added: "You're going to set yourself up for failure if you have to click on something else outside of your EMR to get information from another source. People don't like that; it'll never fly. It's got to be embedded in your record."

Boyd said building systems in concert with privacy and security policies and procedures is an evolving process because mobile devices are relatively new and ever-changing. However, in a virtualized environment — such as the one at Hahnemann — when a session stops, no PHI remains behind on a device or another computer.

"If a person loses their device, they are personally going to be down some dollars, but it's not going to be a cost to the institution," Boyd said. "And it won't make the institution vulnerable for a breach."

The mHealth Summit 2014 runs from Dec. 7-11 at the Gaylord National Resort and Convention Center just outside Washington, D.C. Register here.

This story orignally appeared on Healthcare IT News sister site mHealth News.

Topics: 
Mobile
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.