Should Staff Ever Use Personal Devices to Access Patient Data?Incident at Oklahoma Dept. of Veterans Affairs Spotlights Tough Choices
Is it ever acceptable to allow healthcare workers to use their personal smartphones to access patient information? How about for delivering patient care during a network outage?
These are some of the key questions emerging from a recent controversy involving leaders at the Oklahoma Department of Veterans Affairs who reportedly made the decision to temporarily allow employees at two VA healthcare facilities in the state to use their personal smartphones to access patients records for several hours during a network outage in July.
Three Oklahoma state representatives have demanded in a recent letter to Oklahoma Gov. Mary Fallin that she fire two state VA officials - executive director Doug Elliott and clinical compliance director Tina Williams, alleging that their decision to allow the VA employees access to patient records using personal devices violates HIPAA and other privacy regulations.
A spokesman for Fallin's office tells Information Security Media Group that the state's CISO, Mark Gower, looked into the matter, and in a resulting report determined the actions by the VA did not result in any violations of state or federal privacy regulations.
Plus, as governor, Fallin has no authority to fire the VA leaders - those matters fall under the authority of the state's VA commission, the governor's spokesman adds.
No Records Access, No Meds
The state's VA commission has no plans to fire the VA leaders and has no immediate plans to set up a special meeting to even discuss the matter, an Oklahoma VA department spokesman tells ISMG.
Approximately 50 VA clinicians were granted temporary access via their personal mobile devices to the records of patients in two Oklahoma VA facilities during the six-hour outage, he says.
"Access was given only so those patients could get their medications. Otherwise, these patients wouldn't have been able to get their medications," he says. There are a total of about 500 patients at the two VA facilities that were impacted by the situation, and only some of those patients needed their medications during the outage, he says.
Good or Bad Idea?
HIPAA violation or not, is it ever a good idea to allow healthcare employees to use their personal smartphones to access patient records? What about during a crisis situation?
"These are really tricky issues," says privacy attorney Kirk Nahra of the law firm Wiley Rein. "You have to think about two paths on these questions - how is this situation [involving employee smartphone access to patient records] handled normally, and what - if anything - can be done differently in an emergency situation? Both questions essentially involve thorough thinking as part of an overall risk assessment process."
Companies of all kinds - in healthcare and otherwise - have to figure out how to manage the fact that data can be transmitted to mobile devices, whether personal or employer based, Nahra says. "What a company allows and what it does not allow - and how it 'prevents' what it doesn't allow - is a critical component of any risk assessment today."
Companies have to develop a strategy that balances appropriate risks as well as business needs, the attorney adds.
Providing healthcare workers with access to patient records via a personally owned device is acceptable "under the right conditions," says Keith Fricke, principal consultant at tw-Security.
"Risk exists with permitting any mobile devices access to sensitive information, regardless of who owns the device, if it is not properly secured."
—Keith Fricke, tw-Security
"Specifically, the device must be properly secured with mobile device management software. This becomes a case of balancing security and privacy with the needs of delivering patient care," he says. "Risk exists with permitting any mobile devices access to sensitive information, regardless of who owns the device, if it is not properly secured. Some MDM solutions offer a way to compartmentalize access to company information, separating it from personal data on a personally owned device."
Mac McMillan, CEO of security consultancy CynergisTek, agrees that the circumstances around providing employees special access to patient records is an important consideration.
"If it is the only way to ensure appropriate timely care for patients, I would hope that administrators and caregivers would always err on the side of taking care of the patient first and privacy second," he says. "The real question here is whether this was operationally necessary or were there other options less risky. Secondly, what level of disaster planning had they done? Let's face it; it's always easier to arm chair quarterback after the fact.
"In cybersecurity we manage risk. We don't ever eliminate it entirely; we manage it. In this case, did the risk to the patient outweigh the potential risk to the confidentiality of their data? What I haven't heard in this discussion is any proof that any information was compromised, but what I think we did hear was our veterans were cared for."
The Aug. 9 report issued by Oklahoma state CISO Gower's office in response to the state reps' letter to Fallin demanding the VA firings says his office's investigation "does not show there to be any identified issues with violations of the HIPAA privacy or security Rules, or the State of Oklahoma Breach Notification Act."
That determination was made based on several factors, the report notes.
"Access to the electronic medical records from mobile devices was authorized on a limited basis to address an emergency need, for the treatment of patients in care," the report says. "This access was performed by vetted and authorized [VA] staff who have access to electronic protected health information and personally identifiable information in their normal course of duties and are required to maintain compliance to [VA] HIPAA privacy and security training, policies and procedures."
Additionally, the EMR was accessed by a limited number of authorized VA staff "through the use of mobile devices, which still required the use of mandated security credentials and processes that are prescribed in the HIPAA Security Rule and supported by the EMR vendor to provide mobile access securely," the report notes.
The outage occurred on July 25 when the Oklahoma Office of Management and Enterprise Services was overseeing telecommunications maintenance "on the state fiber, for a scheduled outage," the report notes. The outage had an "unintended impact" on two Oklahoma VA sites, it says.
"The ODVA sites contacted the appropriate ODVA informatics team, who reviewed the outage and the need for care and made the authorization to enable the ability in the PointClickCare [EMR] system to allow for mobile access for limited individuals, during the time frame of the network outage."
Some security experts note that with proper continuity planning, access to patient records might have been enabled without the use of employees' personal devices.
"Replicating systems to another data center can provide access via workstation or laptop instead of from a smartphone," Fricke notes.
McMillan adds: "Many organizations have a second tier of systems that are not connected to the internet, or even the network full time, that are capable of printing out the patients record or information in emergency circumstances. What should be looked at [in the Oklahoma VA incident] is whether the administrators' decisions were necessary as a result of poor prior disaster recovery/business continuity planning. While the decision to take the risk may have made sense presented with the circumstances, those circumstances may have been different had more thorough planning been accomplished."