Hospitals can gain a competitive edge by responding strategically to the rapid proliferation of mobile devices in health care, with security being an intrinsic part of their strategy.
At a Glance
An effective mobile health strategy should comprise, in the very least, six key steps:
- Conduct a mobile security risk assessment.
- Establish policies and procedures.
- Develop a training program
- Implement measures to prevent unauthorized access.
- Perform a clinical workflow analysis.
- Establish the organization’s approach for responding to a breach
Until recently, hospital finance executives tended not to regard the security of mobile health information as one of their foremost concerns. But today, with physicians rapidly embracing mobile devices for clinical use, it has become incumbent on finance leaders to pay close attention to how their organizations finance and support the security of electronic personal health information (ePHI).
The evidence that use of mobile devices is proliferating among clinicians is clear. As many as 98 percent of physicians interviewed in a recent study by Menlo Park, Calif.-based Spyglass Consulting Group said they use smartphones and tablets in their professional and personal lives (news release, “Study: Apple iPad Is Not Ready to Transform Healthcare Delivery Today, Says Spyglass Consulting Group,” Jan. 31, 2012). Yet among those physicians, 75 percent reported that hospitals were reluctant to connect mobile devices on their networks because the organizations regarded the devices as less secure, less reliable, and costlier to deploy and support than desktop computers. This reluctance is a denial of the inevitable: Even as many clinicians are already using mobile devices, the availability and prevalence of the devices alone will only encourage more clinicians to use them.
Meanwhile, the growing use of mobile devices in health care increases the risk to hospitals that the security of their patients’ ePHI could be breached. Since 2005, 532 providers experienced a data breach affecting nearly 21 million individuals (Bowen, K. A., “Accounting for Cyber Exposure,” Accountable Care News, June 2012).The average cost of addressing a breach in the healthcare industry could potentially increase nearly five-fold to $1,000 per record pending a successful class action verdict against Sutter Health System in Sacramento, Calif. (news release, Symantec, “Ponemon Study Indicates Organizational Data Breach Costs Hit $7.2 Billion and Show No Sign of Leveling Off,” March 8, 2011).
Widespread use of unsecured mobile devices is a major reason for the breaches: Eighty percent of healthcare organizations participating in a study by the Traverse City, Mich.-based Ponemon Institute said they use mobile devices to transmit ePHI, but half reported they have not taken proactive measures to secure the devices (news release, ID Experts, “Data Breaches Cost the Healthcare Industry an Estimated $6.5 Billion; Latest Ponemon Study Reveals Data Breaches Up 32 Percent Due to Sloppy Mistakes and Unsecured Mobile Devices,” Dec. 11, 2011).
Steps to Securing Mobile Health Information
These factors point to a strong need for healthcare finance leaders to advocate development of a strategy to protect all ePHI accessed, stored, or transmitted via smartphones and tablets as an organizational priority. An effective strategy to secure mobile health information should comprise the following steps.
Conduct a mobile security risk assessment. Unlike a non-mobile security risk assessment, this assessment involves scrutinizing access from IP addresses outside an organization’s “trusted network.” Entities can retain a third party to analyze the server and other technologies supporting mobile health and data transfer to mobile devices. As a necessary component of the assessment, the organization should scan firewall penetration to identify vulnerabilities hackers can exploit to attack the organizations’ network and systems.
Establish policies and procedures. After assessing and understanding the security risks, the organization should establish a corporate IT governance group with adequate representation from the company’s compliance department, IT department, security department, clinical operations department, and legal department. The committee should create policies and procedures governing seven areas of concern:
- Mobile access
- Patient consent
- Data storage on mobile devices (e.g., device level encryption, encryption of data at rest [i.e., stored within an organization’s infrastructure, usually behind a firewall],encryption of data in motion [i.e., in transit between an organization’s network to a mobile device, tablet, or application], and mandatory use of trusted Wi-Fi networks)
- Transmission to and from mobile devices (e.g., limiting transmission of ePHI to only that which is necessary for rendering treatment)
- Notification of loss or theft of devices, and return of company-issued devices upon termination of employment for cleansing and remote wiping of data, as necessary
- Audits of mobile health devices and the underlying network architecture supporting them on a quarterly basis
- Response to reported potential and real breaches
Develop a training program.The next step is to disseminate, educate, and train clinicians and employees about ePHI policies and procedures. In addition to promoting an enterprisewide understanding of the facility’s breach response plan, the training curriculum should build awareness of security-related matters, such as the importance of HIPAA privacy and security rules and penalties for unauthorized disclosure of ePHI. The curriculum also should include an assessment of employees’ comprehension of the information and an attestation form indicating employees’ understanding of their organization’s policy on unauthorized disclosure and rules involving mobile devices and ePHI.
Trainers should be subject matter experts who are well-versed in all content and fully capable of answering questions. The best means to deliver content is through online media channels in which employees have unlimited access. Through online training, new employees can complete the curriculum during their orientation period, and all employees can take mandated annual refresher courses and sign the attestation form.
Implement measures to prevent unauthorized access. Encryption of a provider organization’s hardware supporting mobile devices and encryption of data stored on mobile devices can prevent potential security breaches when devices are lost or stolen. To secure mobile devices, special processes and software should be installed to prevent ePHI from being saved in areas unprotected by strong encryption.
The infrastructure supporting mobile devices should have encryption software capable of ensuring that all data are encrypted at rest not only on the devices, but also on the organization’s storage infrastructure.
The organization also should ensure that all transport pathways from its host infrastructure to the mobile device use VPNs, SSL, or TLS connections, thereby allowing encryption for data in motion. Further, to build upon the encrypted data in motion, the facility should restrict access to ePHI to IP addresses within its trusted network. It is best to avoid practices or mechanisms that provide mobile device users with access to applications containing ePHI by answering security challenge questions when originating from IP addresses outside the trusted network.
Identity management, access control, and authentication also should be tightened to combat unauthorized access. An effective way to do so is to employ multifactor authentication, a form of access control that uses three identity verification factors to make systems difficult to compromise.
- Information the person knows (e.g., a password or an ID number)
- An item the person possesses (e.g., an access token or a key card)
- A physical feature of the person (e.g., biometric characteristics such as a fingerprint or iris)
Providers should require mobile device users to create strong passwords. Such passwords should be at least seven characters and contain a combination of letters and numbers, including one capitalized letter and a special character such as & or %.
To further strengthen passwords, organizations should reject any word that could be found in a dictionary as a password. Although some organizations might view this step as a nuisance, it adds another roadblock to individuals or programs attempting to penetrate mobile devices. Likewise, facilities should require users to change passwords at least every 180 days.
Perform a clinical workflow analysis. Organizations should examine clinical workflows when introducing ePHI to mobile devices because this type of data changes a user’s viewing environment. In a computer setting, ePHI is accessed at a clinician or centralized nursing station, providing users with a somewhat sheltered environment to view information. By contrast, ePHI on mobile devices accessed in open public areas can be easily seen by any patient, family member, clinician, or hospital employee.
By conducting a clinical workflow analysis, an organization can determine where and how clinicians and other personnel will use mobile devices inside and outside the hospital. An important objective is to make clinicians aware that sensitive ePHI on their mobile devices must be handled differently from how they are accustomed to handling non-mobile data and that they must alter their practices to account for this difference. The organization’s policy should cover appropriate and inappropriate places to view ePHI on mobile devices; for example, text messaging between hospital staff might be deemed an inappropriate means of sharing ePHI.
Establish the organization’s approach for responding to a breach. Should a data breach occur, the organization should examine the incident with the goal of determining what lessons can be learned from it. By addressing the incident with this mindset, organizations can understand the pivotal failure points that led to the breach and revise and bolster safeguards to prevent its recurrence.
The analysis should seek answers to four important questions:
- In what areas have opportunities not been considered for revising or expanding ePHI policies and procedures?
- Is the organization’s breach response plan sufficiently comprehensive to prevent a similar incident from occurring?
- Was the breach caused by adoption of a new mobile device or by an upgrade of a mobile health operating system?
- How do the breach incident policies and procedures support fluid growth of and adaptation to new mobile health technology and operating systems?
Case Study: Ardent Health Services
Ardent Health Services, based in Nashville, Tenn., is an example of a health system that has developed and implemented a successful mobile health strategy as part of a self-dubbed “connected care strategy” to extend clinical services to patients and providers.
Like many healthcare organizations, Ardent did not anticipate consumers’ explosive adoption of mobile devices. Nor did it foresee the devices’ emergence as a critical business commodity until referring physicians clamored for mobile connectivity. When Ardent’s leaders did come to recognize these trends, they realized their organization would be at a disadvantage competitively if it did not develop a strong strategy for participating in the mobile environment. They came to view mobile health not only as a physician satisfaction issue, but also as a competitive driver.
In 2011, to address the security of mobile ePHI, Ardent developed a comprehensive set of policies and procedures specific to mobile health. One notable policy legally empowers Ardent to upload security software on employees’ personal mobile devices and wipe out the device when unforeseen incidents, such as an employee resigning, pose a potential security threat.
Another policy stipulates that users must first sign an agreement that grants them “provisioning access” to use their mobile devices in conjunction with the hospital’s network and for care coordination purposes. Once a device is connected, Ardent sends a configuration file that programs the security settings, including password and encryption.
After rolling out its new policies and procedures, Ardent launched a program to educate clinicians and staff about the risks of using mobile devices—raising awareness, for example, of how easy it is for thieves to steal smartphones and iPads or for employees to misplace devices. The instruction explained why passwords, data encryption, and other security controls are required to prevent breaches and mitigate the consequences if mistakes should occur. The awareness program is now a regular part of orientation for new employees and of annual training of all employees held in conjunction with Ardent’s yearly compliance training.
Ardent’s security IT team conducts monthly, quarterly, and annual audits of its security practices, with progressively higher bars and levels of thoroughness to match the change in audit frequency.
Ardent also limits the types of apps that employees can download (from iTunes, for example). And it has installed security controls on the enterprise network and servers to minimize risk of unauthorized access, hacking, or viruses infecting clinical systems and data. Emails from and to a mobile device are automatically encrypted.
Mobile Health Equals a Competitive Edge
As health care shifts from fee-for-service to outcomes-based care delivery and payment, the ability to effectively engage patients in managing and coordinating care across the healthcare continuum will be critical to improving quality and reducing costs. Mobile health will be essential to achieving these goals. Organizations that institute mobile security strategies protecting ePHI will burnish their reputation for high-quality, cost-effective care and position themselves to better attract and retain patients and strengthen relationships with referring physicians.
Hays Green is healthcare policy practice lead, WPC, Brentwood, Tenn. (firstname.lastname@example.org).
Security of Personal Health Information: Regulatory Mandates and Penalties
Regardless of whether hospitals support mobility, they still are required to secure mobile data. Security is a major focus of the meaningful use requirements promulgated by the Centers for Medicare & Medicaid Services (CMS) and of provisions of the HITECH Act. The former requires hospitals to conduct a security risk assessment and address identified deficiencies. The latter mandates that “covered entities” under the Health Insurance Portability and Accountability Act (HIPAA) follow federal security protocols developed by the National Institute of Standards and Technology.
HITECH also has substantially stiffened HIPAA penalties based on the level of an organization’s culpability for a data breach. Before HITECH, the minimum penalty was $100 per violation, with a cap of $25,000 for all identical violations of the same provision in a calendar year (“HIPAA Administrative Simplification: Enforcement,” interim final rule, Federal Register, Oct. 30, 2009). It was possible for providers to escape the penalties if they demonstrated not knowing they had violated the law. However, HITECH eliminated that loophole and raised the annual cap to $1.5 million (news release, U.S. Department of Health & Human Services, “HHS Strengthens HIPAA Enforcement,” Oct. 30, 2009).
Publication Date: Friday, February 01, 2013