Addressing BYOD in HealthcareFederal Adviser Lists Top Recommendations
Healthcare organizations that allow staff members to use personally owned mobile devices for work-related purposes need to first develop a policy outlining the rules of the road, says Kathryn Marchesini, privacy adviser at the Office of the National Coordinator for Health IT.
When accommodating bring-your-own-device, organizations must, for example, spell out any restrictions and clarify standard device configuration requirements and settings, Marchesini says in an interview with HealthcareInfoSecurity (transcript below).
Organizations also should have employees register their devices. "This allows the organization to have the ability to control who has access to their networks or systems," Marchesini says. "They can keep unauthorized persons from accessing their networks, and also they will be better positioned in case there's potentially a lost or stolen device."
Marchesini also suggests organizations use device-level security configuration settings. "Anyone can install and enable encryption," she says. "They can have access controls; set a password. They can activate remote-wiping or disabling on their personal device."
Mobile Device Guide
Two units of the Department of Health and Human Services, ONC and the Office for Civil Rights, recently created an online education resource containing advice on privacy and security issues around mobile devices (see: HHS Offers Mobile Device Security Tips).
In the interview, Marchesini discusses:
- The importance of staff training;
- Differences in the mobile challenges faced by larger and smaller organizations;
- Why access controls need to be a top priority.
In her role at ONC, Marchesini, an attorney, serves as lead analyst and adviser to the Office of Chief Privacy Officer on privacy and security activities, implications and issues. She also works closely with OCR and other operating divisions of HHS, as well as with other federal and state agencies. Marchesini's previous experience includes leadership positions at Booz Allen Hamilton and Deloitte Consulting, formerly BearingPoint.
Mobile Security Resource
MARIANNE KOLBASUK MCGEE: ONC recently unveiled a new online educational resource to help healthcare providers protect patient data on mobile devices. Tell us about this resource. Why is mobile security such an important focus for ONC?
KATHRYN MARCHESINI: As you probably know, there's a lot of statistical data out there that shows that there's a rapid adoption of mobile devices in the healthcare industry, much like a lot of other industries, and there's an anticipation that there's going to be an increasing use of these devices. At ONC, we recognize the clinicians want to use these mobile devices, such as laptops, tablets and smart phones, to access and transmit health information and [assist with] healthcare delivery. We recognize there are benefits to mobile devices, everything from their portability, their size, their convenience and the overall role in care coordination. ...
However, we do want to balance this. We want to make sure that [with] this rapid adoption ... there are proper privacy and security protections in place for this health information, which is part of the reason why we worked with the HHS' Office for Civil Rights to launch a multipronged educational initiative regarding mobile devices - Know the risks. Take the steps. Protect and Secure Health Information. We hope that these online educational tools in general provide a user-friendly resource to help raise awareness and increase provider and professional understanding around this topic to help them to better protect and secure health information that's entrusted in their care. We worked together to develop a set of tools to encourage providers to know the risks and take the steps to protect and secure health information. This information that I've referenced is available at our website..
MCGEE: Why do healthcare organizations continue to struggle so much with mobile security?
MARCHESINI: I would talk about mobile devices having unique security challenges. For example, due to their portability, they're easy to misplace. Also, mobile devices have wireless connectivity, so on these mobile devices - laptops, smart phones and tablets - users have the ability to bypass secure connections and they can actually connect directly to the Internet and other untrusted resources when they're either in the healthcare setting and/or outside the healthcare delivery network.
These challenges are not necessarily new. Similarly, when laptops were introduced into the work environment, this sometimes led to security and potential incidents around the protection of health information when the electronic devices went mobile, when laptops were starting to be taken home.
However, the mobile devices have become a lot smaller. ... They're lighter - everything from smart phones to tablet computers. I think this has ... elevated their exposure to these risks. Also, there seems to be an increasing rate in changing of mobile device operating systems, as well as the hardware and software updates and modifications ... that need to be employed on these mobile devices. ...
And last but not least, [there's] the use of personally owned devices for healthcare organizations to look at. These make security in the mobile environment more of a challenge than it might have traditionally been in a regular desktop environment. These [mobile devices] often require new approaches; for example, to continuously monitor and manage these devices to ensure that health information is private and secure.
MCGEE: What are the top mistakes that healthcare providers make with mobile security?
MARCHESINI: I would first start by talking about the lack of use of encryption. Installing and enabling encryption protects insecure information that could either be stored or transmitted by a mobile device. A lot of the times, when healthcare providers and staff encrypt data stored on the mobile device, they can help prevent unauthorized access to it. Similarly, when they encrypt data in motion or data in transit, they prevent unauthorized virtual access to the data.
Another top mistake deals with access controls for the mobile device. For example, the lack of setting a strong password, or if healthcare providers and professionals share their device, there may not be unique user credentials or authentication for the device - or they're taking it home and sharing it with friends and family.
Other ... potential top mistakes deal with the lack of a [formal] mobile device use policy. From my perspective, no matter how an organization chooses to address privacy and security, the healthcare organization needs to make sure that these are documented in a policy, in particular, regarding how to handle mobile devices, so healthcare providers and staff are aware of the rules of the road around these particular devices. We refer to this in our resources - that organizations should develop and implement reasonable and appropriate policies to safeguard the health information. We hope that people who are interested can find out more on these topics and questions that they can consider.
Last, I would also talk about the lack of mobile device privacy and security training for healthcare providers and staff. As I just spoke about policies, organizations can do everything that they want. They can make all the plans about safeguards and policies that they want the workforce to implement and use. However, in essence, if the providers and professionals aren't trained or fully understand what those policies are, they're not effective in ensuring that the information is protected. It's important that everyone involved in the organization, from various levels - executives on down to providers as well as staff - understands what the organization requires, as well as their expectation regarding privacy and security of the health information when using their mobile devices.
Large vs. Small Organizations
MCGEE: What are the differences between the challenges that larger healthcare organizations have compared with the mobile security issues that the smaller healthcare providers face?
MARCHESINI: Many of the mobile device security challenges that healthcare organizations face are the same despite their size. For example, in general, organizations and providers need to protect and secure the information regardless of the technology that they're using. In most situations, this includes having specific security settings or technical controls on the actual device locally, making sure things are configured - for example, setting a strong password, installing and enabling encryption, making sure anti-virus or malware protection software is updated.
However, in saying that, some of the challenges may be more prevalent given the size of the organization. I'll speak to one. A large organization may have a large number of devices or users who want to access their internal networks, and there potentially could be a challenge for a larger healthcare organization to continuously monitor and manage the mobile devices. This is sometimes referred to as mobile device management, and there are also ways that you can virtually have an infrastructure in place to help manage these devices. There are various types, makes and models [of devices] across the organization, and they may also not physically be in the same location. ...
In parallel with that, the smaller healthcare organizations, while they may not have the same level of complexity regarding the types, makes and models of these devices, usually do not have as many resources - the necessary IT staff and/or the bandwidth to dedicate to privacy and security full-time. We understand that clinicians are in the business of protecting and saving lives and [don't] necessarily have the core competency in privacy and security. Through our educational resources that we have made available online, we're trying to make sure that privacy and security are easier for our healthcare providers and their teams, to allow them to integrate this into their culture, and them [these issues] keep top-of-mind.
Improving Mobile Security
MCGEE: What would you say are the top-three things that healthcare organizations should be doing to improve mobile security and avoid breaches?
MARCHESINI: I would start with installing and enabling encryption when using mobile devices. This would include personally-owned devices use in the delivery of care. Another thing that healthcare organizations can do deals with developing, documenting and implementing clear mobile device policies and procedures, making sure that they outline what their requirements and expectations are. For example, identify if there's any standard configuration requirement, such as remote-wipe and/or remote-disabling of the mobile device. Whether they're issued by the care-delivery organization or they're personally owned devices, if they're accessing their internal networks or resources, it's helpful for healthcare providers and staff to understand what the policies and procedures are.
Another area to focus on is dealing with access controls. Healthcare organizations can have workforce members keep their mobile devices with them at all times, making sure that if they're not using them that they have them physically and technically secured, everything from setting the strong password to having automatic log-off and the like.
MCGEE: What advice do you have to healthcare organizations in regards to employees and others who are bringing their own personal mobile devices to work? What should they be thinking of in terms of protecting patient data?
MARCHESINI: I recognize that's a challenge for folks. As part of our educational initiative, we outlined a five-step approach to help organizations manage these mobile devices, which also includes some areas that they could look at when there are employees or other individuals who might be credentialed to access their system when they're bringing their personal devices.
In addition, we've also outlined 11 tips on how providers and professionals can protect and secure information on the mobile devices. We've tried to tackle it from the approach of the organization itself and the individual clinician. Some of the topics top-of-mind that organizations should consider when looking at bring-your-own-device, or BYOD, include having a policy regarding whether or not individuals are allowed to use their own devices, if there are any restrictions, are there standard device configuration requirements and settings, and making sure that it clearly explains those to individuals.
Another thing would be having individuals register their personal device with the healthcare organization. In this case, this allows the organization to have the ability to control who has access to their networks or systems. They can keep unauthorized persons from accessing their networks, and also they will be better positioned in case there's potentially a lost or stolen device. They would be able to handle that more effectively.
Last, I would suggest that healthcare organizations utilize device-level security configuration settings on the mobile devices. I talked a little bit about this in general, but I also think that this is something that's applicable to any device, regardless of if it's issued by the organization or it's personally owned. Anyone can install and enable encryption. They can have access controls. Set a password. They can activate remote-wiping or disabling on their personal device.
Using Public Wi-Fi Networks
MCGEE: How should healthcare workers and others be protecting patient data when they use their mobile devices on public Wi-Fi networks?
MARCHESINI: Public Wi-Fi networks can be an easy way for unauthorized users to access or intercept patient health information in transit. Through our educational initiative, we've made basic explanatory videos available that focus on common risk scenarios and provide examples of steps that healthcare providers and professionals can take to protect and secure health information. One of those videos actually includes a healthcare provider trying to use a tablet computer to access a patient's medical record while using a coffee shop's Wi-Fi network. I'd encourage people to check this out and other videos on our website.
In general, when using a mobile device, healthcare providers and professionals can protect health information by not sending or receiving it when connecting to a public Wi-Fi network, unless they're securing it and using an encrypted connection. For example, regardless of whether healthcare providers or staffs are using a public or private Wi-Fi connection, they have the opportunity to use a virtual private network if it's available to them through their organization. In this case, the information would be encrypted if it was sent and it would protect the information from unauthorized access while it's being sent over the Internet using an unsecured network.
Healthcare providers and staff can also make sure they're using a secure browser connection - check to make sure if they're using a secure browser connection by seeing if there's an HTTPS in the website address. But as I mentioned, more information about using a mobile device to access patient health information we've made available on our website, and for this particular question about public Wi-Fi networks, we have a video titled "Can You Protect Patients' Health Information When Using a Public Wi-Fi Network?"