Insecure Mobile Devices
In a May 2016 study by the Ponemon Institute, 89% of the healthcare organizations surveyed had at least one data breach involving the loss or theft of patient data in the 24 months prior to the survey. Nearly half of those had more than five breaches. When asked what type of security incident worries them the most, 30% said the use of insecure mobile devices.
With the growth of BYOD environments, mobile devices have become an essential tool for communication. Workflow is critical and text messaging is a logical communication medium to choose. It's quick, easy and universally available. However, there are security and compliance risks that must be addressed when allowing texting to be used in your organization.
The key thing to determine is whether or not messages contains PHI. The US Department of Health defines PHI as individually identifiable health information that is transmitted or maintained in any form or medium (electronic, oral, or paper) by a covered entity or its business associates. Technology, such as text messaging, that is used for accessing, transmitting or receiving PHI electronically is covered by the HIPAA Security Rule. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of ePHI. Violations can result in substantial penalties.
In order to help mitigate the risk to your organization from a texting security incident or compliance violation, consider implementing the following.
1. Include text messaging in your organization's overall risk analysis and management strategy.
2. Determine what information is acceptable to text and train your staff accordingly.
3. Keep an inventory of mobile devices (both personal and provider owned) and ensure devices are using passcodes.
4. If you haven't done so already, consider using a vendor supplied secure text messaging app that is HIPAA and HITECH compliant. These apps allow you to send ePHI to contacts inside and outside your organization. Your answering service may also use it to communicate detailed information to the on-call physician.
A HIPAA compliant secure messaging service should provide you:
o Separation of healthcare texting from personal texting
o Encryption of messages
o Special authorization and authentication requirements to access messages
o No storage of messages on the actual device
o Remote disabling of the app on lost or stolen devices
o No PHI in screen notifications
o Ability to access device to device or with a secure web application
o Persistent message alerts and synchronization on all devices
o Availability on both WiFi and 3G/4G networks
o Elimination of pager expense by consolidation of devices
You can never eliminate all risk but you can certainly take measures to mitigate it. Through planning and partnership, you can continue to incorporate texting into your workflow while still maintaining compliance and security.
Sarah Conway is the Business Development Manager at Golden West Technologies.