Dr. Jayne's advice is always valuable for healthcare professionals. Thanks for sharing this informative update.
Advisory Panel: PHI on Mobile Devices
The HIStalk Advisory Panel is a group of hospital CIOs, hospital CMIOs, practicing physicians, and a few vendor executives who have volunteered to provide their thoughts on topical industry issues. I’ll seek their input every month or so on an important news developments and also ask the non-vendor members about their recent experience with vendors. E-mail me to suggest an issue for their consideration.
If you work for a hospital or practice, you are welcome to join the panel. I am grateful to the HIStalk Advisory Panel members for their help in making HIStalk better.
This question this time: What policies, practices, and tools are you using to control the use of PHI on mobile devices and apps?
Policies titled “Data Encryption” and “Mobile Device Safeguards” provide the basis for protection regarding mobile devices, emphasizing the requirements for encryption (storage and transmission), not saving PHI to mobile devices unless necessary, deleting the PHI when finished, and basic physical protections. Tools utilized are various methods of VPN, McAfee EMM and ActiveSync, native and container encryption methods, whole disk encryption, complex passwords, training and publications, Citrix, VM View, and custom applications that provide connectivity without storage or print.
We require any device that connects to our mail server to be encrypted. If the device isn’t encrypted, the server won’t allow a connection. We’re still working on a secure communication system with our non-employed providers, since they want us to send SMS messages rather than emails.
We use Good Technology to provide secured access to our corporate email, contacts, and calendar on mobile devices. Our policies limit the users who can have access by role. My perspective is that we use Good to mitigate our risks, but it has not increased satisfaction among our users.
We force a password protection on mobile devices and enforce a "10 attempts" wipe policy.
The health system adopted an encryption policy as a CYA effort. We officially prohibit the use of personal computers for health system business, but I can’t see any way that we can control or even police this activity. Employees have external hard drives at home that they use to backup their laptops, at least they should have some backup mechanism. Therefore, when any of these home-based devices is stolen, the health system does not have to report the event, but the patients’ data are still compromised.
Likely not a surprise with all the recent news around this subject, we recently are about to launch the following: (1) Automatically encrypting all outgoing emails which contain PHI (based on whatever detection system the IT team is using). I hope ours is accurate and does not create a painful process in non-PHI circumstances; (2) Automatically enforcing that any smart phones syncing to the system for emails/calendar have a four-digit device PIN, an inactivity timeout under 15 minutes, and remote wipe ability if device lost or stolen – I did not realize they could do all this automatically (but hopefully most of us do all this already!)
We have a policy that prohibits storage of PHI on mobile devices. We use a mobile device management software tool (MDM) that enables us to securely deliver e-mail, calendar, and contacts from our Exchange environment to iPhones and Android smart phones.
Must enforce passcodes, that is blocking and tackling/101 stuff. All too often you’ll see misconfigured policies for iOS / Android / BlackBerry that are missing that simple setting. Then you must encrypt. We are using a cloud service MaaS360 that segments the device into a personal and a business side. The solution has device encryption and very nice GUIs for policy management. You can deploy your own applications through the solution and it’s been stable. Cheaper solution compared to other MDMs.
DLP for flash drives and any data moved to a mobile device or external drive. The use of computers as kiosks in all patient care areas. These are locked down so that no data can be downloaded. Encryption on phones though this is a self-reporting/self-enrollment process at the present. By policy we require all portable devices to be encrypted. This is difficult to enforce on non-organizationally owned devices.
Currently only supporting Epic apps (Haiku) and don’t require UDID management. Rather we control by security (if you’re a provider, you can use). We just force 5 minute logouts and logout immediately upon exit. We are looking at bringing up policies for mobile management of any device that wants to connect to our Exchange as well. Should be live by end of year. BlackBerry Enterprise server offers these controls.
In the process of implementing an MDM solution, and evaluating DLP solutions.
If employees choose to store PHI on their mobile devices, the device must be protected by encryption and strong passwords; they must fall under central device management, which means we can erase the device, remotely and enforce password policies; and they must agree to declare a "lost PHI device" incident within 1 hour of first realizing the device was lost. Interestingly, we experienced one of these incidents recently. A physician reported his device lost, as required, and we erased it– everything on it. Later, he found it and was angry that we had erased his personal pictures and address book.
We are in process of rolling out a mobile device management strategy utilizing Airwatch. In addition, we limit the individuals and roles that can access particular information already (even a bit more granular/more tightly controlled than the typical role based access) with regard to mobile devices/apps.
These mostly sound like the failed policies regarding laptop PCs from a few years ago. Have we learned nothing? A mobile device is like a small laptop for PHI security purposes.
The end-user device should be provisioned by the health care organization, or a trusted business associate (in the HIPAA sense). No personally-supplied devices allowed.
The end-user device should be protected by strong authentication and on-device encryption of all stored data.
The end-user device should be protected by a 100% remote data wipe in event of loss.
Data protection policies should be clearly communicated to all who have access to PHI.
The end-user should lose all PHI privileges if found to be in violation of the policies. Loss of privileges may include loss of employment.