Patient confidentiality leaks occur for many reasons. In some cases, a company’s information security infrastructure is susceptible to hacking. Some organizations also fail to thoroughly train their workers in HIPAA compliance and to give them the tools to succeed. In other cases, medical officials inadvertently disclose information covered under HIPAA because so many people are involved in a case. However, lack of satisfactory policies on “bring your own devices” is a huge issue
Many hospitals, medical facilities and other medical offices let doctors and staffers use their own devices for communication about patients. The companies frequently don’t establish stringent enough BYOD policies, and many also don’t train users properly. Here are the top three ways information leaks occur, and how you can make sure they don’t happen in your healthcare organization.
1. Lack of parameters on which devices can be used
New devices, from cellphones, tablets, laptops and PCs, come out every year. Medical offices are faced with staffers who use a wide range of operating systems capable of handling tasks of varying levels—and those devices come with different vulnerabilities. A medical office’s in-house technical support team, or the one it contracts with, should list the devices it is able to troubleshoot, and specify the operating system and updates needed for each device. Look for mobile health platforms that integrate with all systems for smooth interoperability.
2. No policy on permitted apps
Using normal communication channels instead of secure messaging inevitably leads to patient leaks. For example, when a healthcare professional uses normal texting to relay patient information, he compromises the security of the data. Medical offices must outline a policy on allowed apps in general and which apps must be used for work purposes.
Many offices who have established competent policies use Doc Halo’s secure text messaging platform. It satisfies HIPAA requirements that state patient information cannot be disclosed to anybody outside the healthcare professionals working with the patient. Doc Halo’s all-in-one messaging interface streamlines work, increases productivity and just as importantly, provides secure messaging to stave off information leaks.
Even if your facility doesn’t allow healthcare professionals to use personal devices for patient communication, all official devices need a centralized secure messaging platform.
3. Lackluster security
No password policy and no settings for locks due to inactivity are all too common. Medical offices should have clear security expectations regarding password structure and length (think capital letters, numbers, and characters). They should also tell staffers how long they can have their devices inactive before it locks, and should permit only selective access to internal networks.
Your office should also have a policy that explains what happens if a staffer loses his device or it is stolen. Obviously, expert personnel need to perform remote wiping of data, but because a staffer has used the device, the policy needs to explain in advance that he risks losing his personal data. Therefore, it’s important to clarify right from the beginning who pays for the devices and the various usage plans. It’s reasonable to expect healthcare facilities to pay for most or all of a plan since staffers need to minimize the personal data they keep on such devices.
Regardless of policy specifications, a medical office must be vigilant about keeping up with changing technologies and evolving issues. A BYOD strategy is only as good as its weakest link and as the knowledge of the people behind it. Monitor it, perform security checks, and remain flexible enough to make quick adjustments.