HIPAA-related security concerns mount as smartphones become more ubiquitous across enterprise healthcare environments.
Ransomware headlines seem to reign supreme in healthcare news, and yet industry insiders know that the greater potential for cyberattack and financial loss resides in just about every person’s pocket (or pocketbook). Catholic Health Care Services of the Archdiocese of Philadelphia’s $650,000 settlement with OCR for HIPAA violations this summer is a prime example of the vulnerability of mobile smart devices. The settlement stemmed from the theft of a smartphone containing the PHI of 412 nursing home residents. Acting as a business associate, CHCS provided IT and management services to six SNFs, and was thus responsible for protecting resident PHI under HIPAA. OCR found that, in addition to a lack of encryption and password protection, CHCS also neglected to develop a risk analysis and accompanying plan for risk management.
While the organization’s lack of cyber safeguards and subsequent fine made headlines, it’s probably a safe bet to assume that other similar entities are operating without the appropriate security safety nets.
Getting on the MDM Hamster Wheel
Smartphone security “is a moving target,” says Alex Brown, director of strategy at healthcare communications company Voalte. “Today, there seems to be two layers of what people are looking into when it comes to smartphone security – applications on the device and the content of those applications. If your application has PHI sitting in it all the time, than you have a much higher risk than with an app that has PHI on it only when it’s connected to a server.
“Not every healthcare organization has the expertise to deploy security,” he adds, “which is why providers rely so much on vendors to make sure that they’re really keeping up to date with best practices around mobile device management.”
Brown finds that in today’s world of escalating cybersecurity concerns, constant dialogue with hospital customers about the importance of up-to-date MDM is a must. Hospitals are now faced with managing almost daily updates from Apple and Google, he explains, which, for many, has taken some getting used to.
“It’s an important piece that not a lot of sites think about,” Brown says. “It’s constantly moving. I like to refer to the smartphone space as a hamster wheel of updates. It can be a little daunting to get on it, and once you’re on it, you really have to keep up. If you don’t, that’s where you can introduce risk. The CHCS settlement was a gut check for other providers in the sense that they hopefully are now asking themselves, ‘Are we checking all the boxes constantly? Are there new boxes that we can now check?’”
Great Vendor Expectations
Parkview Medical Center (CO) CIO and Vice President of IT Steve Shirley has seen his fair share of cybersecurity practices, having spent 30 years in banking IT and nearly eight in healthcare. “In banking, we were mandated and audited on our vendor management programs. I routinely went onsite at vendor locations to audit their data centers, review their SaaS70 reports, and determine the overall security posture of the firm. We looked at their financials and did a significant amount of work to ensure the vendor was not only financially strong and stable, but secure, and that our data was safe.”
Shirley adds that security in the financial industry is at a higher level of maturation than in healthcare for obvious reasons. “They have to protect identities and money,” he explains. “Now that health data is under attack, we need to raise security to a higher standard. At Parkview, we’re heavy users of smartphones. The challenge is that in the BYOD world, other than our MDM strategy and provisioning, we don’t have a lot of control over what devices come in the door. And so we expect the highest level of security from our vendors. We include vendor management in our RFPs and require BA agreements for any vendor dialing into our system in any way. This is in addition to the standard requirement when the vendor has access to our data for things like analytical activity.
“When we implement new solutions,” he adds, “we collaborate with them to plan and design for security, whether at the mobile device level or system level. When we partnered with PatientSafe Solutions to roll out PatientTouch on the iPhone for services ranging from bedside medication verification to care team texting and communications, we brought in all of the vendors involved to develop a system that was not only reliable and functional, but also secure across all connections and access points. Six companies were involved: PatientSafe, their wireless vendor, our IT team and wireless vendor, Cisco, and Apple all participated in ensuring the system worked seamlessly and securely.”
Sticks Will Get the Cybersecurity Job Done
With regard to the CHCS breach, Shirley isn’t shy about sharing his opinion. “In the banking industry, I learned that we all mean to do good, but the movement of the day is so fast and furious that things tend to fall by the wayside,” he says. “And so the government stepped in with punitive measures for not meeting security or other standards. Y2K was a great example. The FDIC threatened to close banks if they didn’t have an appropriate Y2K strategy. I pray every day my hospital doesn’t get attacked and a breach occurs. As regretful and tough as the fine is, it’s a necessity because it creates an industry wakeup call for those who haven’t realized healthcare is under attack.
“It seems that while people understand that systems like servers, desktops, laptops, etc. are highly susceptible to attack if not properly protected, there’s a perception that smartphones are different,” he explains. “We, both industry and our consumers, need to get serious about understanding that a smartphone is a device that has access through the Internet and is thus vulnerable.”
Grace Hua, director of product management, clinical communications at PatientSafe, is of a like mind in her belief that hospitals should demand that vendors provide technology support and safeguards for clinician end users. “This should be a wakeup call not only for BAs, but for the industry as a whole,” she says in reference to the CHCS news. “BAs need to fully understand the importance of the data they are potentially putting at risk, and the implications of theft or security breach, as that data now has a dollar value tied to it. Hacking is now just as profitable in healthcare as other industries.”
Increasing Staff Awareness
When it comes to safeguarding smartphones and patient PHI, Shirley and his team are taking proactive measures to keep CHCS-type incidents at bay. Higher-level efforts include membership in security organizations like the SANS Institute and making sure that new technology deployments include a project milestone for evaluating and understanding potential security risks, and then developing a plan to mitigate them.
“This seems so intuitive,” he says, “but I think it is sometimes not the highest priority in the deployment of healthcare systems. Examples of this include installation of modalities for radiology that have communications facilities onboard, or even simple things like network printers.”
Shirley is especially excited about boots-on-the-ground efforts at Parkview. “We have a network security engineer who, in addition to his technical role, is responsible for security education. He regularly visits units during their daily huddles to give security tips like how to create strong passwords or how to validate that the person on the phone is authorized to receive information. Throughout the hospital, we use our digital wallboards to deliver security messages to everyone onsite. Our employee and physician newsletters have standing articles about safety. We’re also putting together a security video that will be required viewing for all employees. The effort has been huge in the last year to increase staff awareness.”
A Rising Tide Lifts All Cybersecurity Practices
Shirley is happy to report that his colleagues at neighboring institutions are paying just as much attention to securing mobile devices. “Two years ago, I would have said healthcare organizations are not paying enough attention to cybersecurity protection,” he says. “Now, I’m seeing new and extreme efforts every single day. Recently, a competitor healthcare system went to two-factor authentication for external access, and I think that’s awesome. At Parkview, we’ve implemented MDM for all of our devices. We don’t store data on laptops or mobile devices, and we don’t deploy any mobile hardware that hasn’t been encrypted. I think the industry understands healthcare is under threat and there are many points of potential vulnerability we need to address. It’s absolutely becoming more of a focus.”