Case Study: Securing Mobile Devices
In an exclusive interview, Cruz describes how home health aides at the hospice use the mobile devices while visiting patients. He outlines the security strategy, noting:
- Setting up a virtual private network to link the phones to servers behind a firewall proved challenging; several VPNs failed to work.
- The VPN communicates with the firewall and creates a secure tunnel using encryption.
- Both the patient data and the home health application on the phones are encrypted.
- The phones are password-protected, an essential step in case the devices are lost.
Jacksonville, Fla.-based American Hospice is the nation's oldest hospice management company. It serves clients in five states. Cruz has 19 years of IT experience. He managed the installation of Allscripts Homecare software and VPN technology from NCP Engineering Inc.
HOWARD ANDERSON: this is Howard Anderson, Managing Editor at Information Security Media Group. Today we are talking with Fred Cruz, IT Director at American Hospice, the oldest hospice management company in the nation. The company serves clients in five states.
Thanks for joining us today, Fred.
FRED CRUZ: Thank you, Howard.
ANDERSON: Please tell us a little bit about American Hospice and your role there.
CRUZ: Like you said, American Hospice, which was founded in 1992, we are the oldest hospice management company in the United States; we are one of the top 10 in the country. Our headquarters are located in Jacksonville, Florida. The operating states, like you said, we have locations in Arizona, Oklahoma, Georgia, Virginia and New Jersey. Our CEO, Jeff Price, along with our Executive Team, we have over 60 years of experience in healthcare administration, finance and marketing, and our former Founder and President, Andrew Parker, was instrumental in developing legislation that resulted in authorization of Medicare and Medicaid cards for hospice care.
My role here at American Hospice is the IT Director, for which I am responsible for anything IT, support, management, staff, purchasing, security, and project initiatives.
ANDERSON: I understand that in May you equipped about 180 of your home health employees with mobile devices linked to a virtual private network. What prompted that investment?
CRUZ: We were implementing a project -- we call it the Home Health Aid Project. There is an application for the home health aides to use on a Windows-based PDA device. One of the requirements was that the device needed to be able to connect back into our network securely. After several attempts with our current firewall vendor and attempts with other VPN vendors using their software that works on the Windows mobile device, we were unsuccessful in getting any of their software to work and connect in through our VPN through our firewall.
Upon a recommendation from another company who uses NCP, we gave them a try, and they successfully got their product working in our environment, and that was pretty much monumental to us selecting them as our vendor of choice for this project.
ANDERSON: So the goal of the project was to kind of streamline the day-to-day business of the home health employees that serve hospice patients?
CRUZ: Correct. We have basically two sets of field employees; one is the registered nursing staff who are actually out there helping to provide the creation of the plan of care for the patients. They handle the nursing activities for the patients. And then we have other employees, the home health aides, who are out there assisting with the nurses and implementing some of the other duties and tasks required in the patient plan of care. Both parties have to use mobile devices; that is where they get all of their patient information sent to and they synchronize during the day. Their devices are updated with the current patient information, they go out and visit the patient, update the data, and then they synchronize the data back to our central servers. This routine happens every day, and that is how the nurses and the aides are able to maintain accurate data and receive accurate data when they are visiting their patients.
ANDERSON: So are the nurses and the aides retrieving and transmitting patient information throughout the day, or do they just do that at the beginning and the end of each day?
CRUZ: It really depends on the staff member. The nurses are trained to synchronize at the beginning of the day and at the end of the day; however with the aides being that their software actually resides on their PDA device or their phone, they are able to synchronize after each visit, which is great for maintaining accuracy of the patient care notes. It also helps with getting their tertiary information like the mileage, the hours worked, so all of that is updated pretty much real time or close to real time, as opposed to the way they were doing it before, which is by paper.
They would go out and do their visits for the week, and they would show up at the end of the week or maybe at the end of two weeks and hand in all of their paperwork, which then would have to be entered in by another employee, which could take another two to three days for that to happen. So we have gone from having information being entered in and referred from seven to 16 days narrowed down to almost real time or at the very least on a daily basis.
ANDERSON: Please describe your approach to ensuring that the data going to and from these mobile devices stays secure. How does the VPN work and does encryption play a role at all?
CRUZ: Yes, the VPN is encrypted. The NCP software communicates with our firewall -- it basically creates a secure tunnel, high encryption. The data itself is also encrypted on the phone, and we also require that the phones have a password code lock. So in the even the phone is lost or stolen, they would have to do a complete hard reset, wiping the phone in order to gain access to use the phone. The software vendor has also encrypted the application itself, and again, with the NCP software connecting to our firewall through a VPN, the data is also transmitted through an encrypted tunnel.
ANDERSON: So what made the VPN technology that you ended up selecting the best fit?
CRUZ: The most obvious reason is the fact that NCP was able to get it to work with our existing firewall. We probably tried three or four other vendors, and each attempt was unsuccessful to get it to work and communicate through our existing firewall, basically creating a secure tunnel that they were able to connect and see all of the servers that they were required to see on the backend. So again, NCP was the only software that worked in this environment.
ANDERSON: What are your plans for expanding use of mobile devices in the months and years ahead?
CRUZ: As of right now we are only going to expand this out to 180 end users who are currently home health aides. We do have other staff members that use these devices, but unfortunately at this time we don't have any need for them to connect into our network using their devices. So as of right now, the project calls for the 180 home health aides to be equipped with these devices and again, our company also acquires other companies as well so in the event that we did either expand through census growth or acquired another company, we would obviously expand devices to the other employees that we acquired.
ANDERSON: Finally, what lessons about data security have you learned in the first few months of the rollout, and what advice would you give to other organizations considering how best to ensure the security of information gathered and transmitted using mobile devices?
CRUZ: The only advice I could really give is to make sure you are following Medicare HIPAA guidelines, always make sure your data is encrypted, and always make sure that you are communicating through a secure encrypted connection back to your home network.
Training is fundamental, too. A lot of the people who we deploy these devices to, their primary mission in life is nursing or some type of nursing function - they are not IT professionals. Handing a device like this to a non-technical person could be pretty daunting to that person, so you need to take care as to making sure that the person is properly trained and understands the importance of security with the device and understands how to use the software and use the device to make sure that information is transmitted securely between their device and the server.