Is a Cell Phone Ban Too Extreme?

Experts Discuss How to Help Volunteers Ensure Privacy
Is a Cell Phone Ban Too Extreme?

As the result of a recent data breach, one Florida healthcare organization has now banned the use of cell phones by volunteer workers. Was this a proactive measure or an over-reaction?

See Also: The Application Security Team's Framework For Upgrading Legacy Applications

Security experts say the case spotlights some of the delicate patient privacy considerations healthcare providers need to balance when dealing with security and volunteers.

The 2012 breach at Jackson Health System involved a former hospital volunteer who used his cell phone to take photos of 1,000-plus patient records. The volunteer allegedly sold the information, which included Social Security numbers, to another individual who used the information to file fake tax returns.

As a result of the breach, Jackson Health System recently implemented new rules for its volunteer workforce, including banning the use of personal cell phones in patient areas. "The new policy affecting volunteers is a result of the breach," says a Jackson Health System spokesman.

But is it a policy that could spread to other organizations concerned about their own volunteers causing breaches? Health data security experts say that an outright ban of cell phone use by volunteers could prove to be an unpopular policy that's difficult to enforce, considering many cash-strapped hospitals depend on the good will of volunteers to supplement staff.

As alternate options, experts say, healthcare organizations should consider other ways of bolstering security and privacy safeguards involving volunteers, including improved training, better screening and reassessing other policies, such as those related to recordings and photography.

Dependent on Volunteers

For starters, volunteers are a crucial part of manpower for many healthcare organizations. So, implementing and enforcing strong patient data privacy safeguards among volunteer staff is critical, yet somewhat of a delicate issue.

"I would say this is a knee-jerk reaction to an isolated incident," says security expert Tom Walsh, president of Tom Wash Consulting, about the Jackson Health cell phone ban. "If volunteers were banned from bringing their personally-owned cell phones to work, we'd have a drop in the number of volunteers. Hospitals are sensitive to the needs of their volunteers and would not do anything that would upset them."

Kate Borten, president of IT security consultancy, The Marblehead Group, agrees that volunteers are vital to some healthcare organizations, so policies need to be crafted to safeguard patient information without being a total turnoff to the individuals' goodwill.

"Volunteers are common in most, if not all, hospitals," she says. "In some hospitals they are vital and fill gaps in staffing. They typically have at least some access to patient information."

With that said, many hospitals have a lower tolerance for volunteers' violations of privacy and security policies than for employees' infractions, Borten adds. "Setting a higher bar, such as banning personal cell phones within the facilities, is reasonable since it's highly unlikely they need their personal phones for hospital work," she says. Instead, volunteers can use their cell phones outside patient facilities, during breaks, for example. "While this is not yet common practice, the breach involving a volunteer's cell phone should prompt all hospitals to consider a similar policy," she says.

Patient Privacy Safeguards

In addition to considering a ban on cell phone use near patient areas, healthcare organizations also need to provide their volunteers with training about patient privacy and security rules. In fact, bolstered volunteer training about patient privacy policies is something that Jackson Health is also doing in the wake of the breach.

And considering that the Jackson Health breach involved the use of cell phones to capture patient record images, some experts suggest that now might also be a good time for healthcare organizations to dust off their policies regarding photography and recording.

"When these policies where originally written, I'm sure they were not thinking about a smart phone that can record video, audio and take pictures and post them on the Internet in less than a minute," Walsh says. "This is risky business for caregivers and hospitals. My advice: Review the nursing policy on recording device use in the hospital."

As an alternative to outright cell phone bans, healthcare organizations need to be more mindful overall to the patient information to which volunteers are exposed, suggests privacy attorney Ron Raether, a partner at Faruki Ireland & Cox P.L.L. Healthcare organizations should limit volunteer's access to patient information.

Raether also says that it's not unusual for organizations in other industries, especially financial services, to have a "clean desk" policy where equipment is locked at the end of a work day, and in some extreme cases the use of cell phones and USB flash drives is prohibited. "But that sort of culture is often contrary to healthcare and volunteers," he says. Nonetheless, "in most cases, volunteers shouldn't have access to patient records," he says.

When volunteers do have access to patient information, including computer systems, healthcare organizations need to be watchful of managing volunteers' user IDs and passwords, as well as systems use.

"One problem I see involving hospital volunteers is that they sometimes share a generic user ID and password," Borten says. "Not only is that inconsistent with HIPAA's security rule, but it means the organization has no way of tracking who accessed which patients' records."

Finally, in staffing their organizations, hospitals and other care facilities need to carefully vet their prospective volunteers.

"Employees [undergo] background checks, but not all volunteers have background checks," Walsh says. "Keep in mind that the bulk of volunteers are senior citizens, followed by adults that retired early who want to stay busy, and teenagers looking for community service time. Part of the screening process could be, 'Why do you want to volunteer?'"

For more on background screening, see the new interview Top 10 Screening Trends for 2013.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.