At HIMSS24, perspective on safeguarding ePHI and restricting unauthorized access
Photo by:Tassii/Getty Images
Mobile use in the healthcare space has long been a double-edged sword with personal devices giving clinicians the ability to access healthcare data at any time from anywhere. Still, they also leave organizations vulnerable to myriad privacy and security risks, and give them big IT headaches.
Once the elephant in the room, texting patient data in healthcare is now the norm. Earlier this month, the Centers for Medicare & Medicaid clarified its stance on texting patient data among members of healthcare teams. Texting of patient orders is now permissible at hospitals and critical access hospitals when done through a HIPAA-compliant secure platform in compliance with CMS Conditions of Participation rules, the agency said.
Michael Trzcinski, vice president of IT, cybersecurity and facility operations at Alliance Clinical Network, a group of sites engaging in Phase I-IV research studies located on major hospital campuses, and Vernon O'Donnell, president of field operations at Hypori, will discuss secure virtual device management at the HIMSS24 Global Conference & Exhibition.
They'll address the latest mobile cyber risks across healthcare, and the role of virtual mobility solutions, comparing traditional solutions to new BYOD considerations. Attendees will also come away with a greater understanding of how to defend against phishing and malware attacks, which often lead to ransomware, they said.
This session will be especially fruitful for healthcare IT decision-makers who need to understand the critical role of compliance and security in protecting ePHI. It will reveal how they can enhance patient care without sacrificing user privacy and productivity, all while mitigating cyber risks. –The Alliance Clinical Network
Q. What are the benefits of broader mobile access to critical patient data within the healthcare space?
O'Donnell. The major benefits of broader healthcare mobile access include increased flexibility and productivity.
By enabling secure access from any mobile device, healthcare professionals can retrieve critical information on the go, improving responsiveness and efficiency. Additionally, it helps streamline workflows and reduce administrative and IT burdens.
Trzcinski. Not only does mobile access help us improve patient care by facilitating secure real-time collaboration and coordination between teams, but it also empowers patients to access their health information – anytime, anywhere.
Additionally, it provides us with a competitive advantage compared to other providers, as we offer more patient-centered and efficient services, thereby attracting and retaining patients in an increasingly competitive market.
Q. What are the risks to user privacy when healthcare employees bring their devices into their patient care workflows?
O'Donnell. With traditional mobile access solutions, such as providers, enforcing employees to use a device with mobile device management software or issuing a secondary, corporate device, there are a lot of risks to user privacy because of the following factors:
- Data leakage. This can come from the device being stolen or lost without the ability to wipe user data remotely. The potential of exposing sensitive patient information is extremely high.
- Device compromise. Devices without secure access are more likely to be exposed to malware and other cybersecurity threats.
- Compliance concerns. It's become harder to ensure data privacy and security.
By offering a secure virtual device, healthcare providers do not have to worry about carrying two phones, data being leaked or compromised, because no data is left on the device. There is also no data in transit, so it eliminates traditional risks of exposure.
From a user privacy perspective, there is 100% data separation between the personal device and the virtual device so the user’s information is always protected.
Trzcinski. After a thorough evaluation, we concluded that the risks posed by other mobile solutions were too significant. Despite considering MDM technology, concerns regarding HIPAA compliance and the potential for data exposure on lost or stolen devices persisted.
Issuing corporate devices proved to be prohibitively expensive.
We also had to consider that a high-level executive had their personal phone stolen and cloned so we knew we needed a proven and secure solution.
Q. What are some strategies for assuring HIPAA compliance across mobile devices?
O'Donnell. Two strategies include deploying access controls and virtualization. Implementing strong access controls, such as multi-factor authentication and role-based access, can prevent unauthorized access to patient data and maintain HIPAA compliance.
With virtualization, no data is at rest or in transit, which helps safeguard ePHI and restrict unauthorized access.
Trzcinski. A concrete way to assure HIPAA compliance across mobile devices is to develop a formal BYOD policy.
By developing and enforcing strict policies, we can ensure employees are protected and understand their responsibilities, as well as how to use designated technology solutions properly to ensure compliance.
O'Donnell's and Trzcinski's session, "Unlocking Healthcare's Mobile Future: A HIPAA-Compliant BYOD Use Case," is scheduled to take place on Wednesday, March 13, 12:15-12:35 a.m., in the Cybersecurity Command Center, Theatre B, at HIMSS24 in Orlando. Learn more and register.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.