As readers of this site know, technology is allowing the practice of healthcare to become increasingly more mobile. Having access to the most up to date information throughout the health care delivery process not only saves time, it reduces errors and improves healthcare outcomes.
However, the nature of mobile technology is that devices are smaller and more difficult to secure than traditional desktop computing equipment.
If you’re currently using, or planning to use mobile technology in your practice you should develop a plan that provides for the security of the sensitive personal health information of your patients. Larger practices may have access to IT professionals to help develop, implement and manage such plans, but if you run a smaller practice and don’t have access to that level of expertise, what should you do?
Fortunately, it’s not as daunting as you may think. Much of what should be done is simple common sense and may have already occurred to you.
While using small, cool mobile devices can add to your productivity, those devices are much more likely to be lost or stolen than a desktop computer that resides at a fixed location in your office. These new devices, whether they are smart phones, tablet computers or the small, fast, new Ultrabooks, all need to be secured.
Here are a few common sense suggestions that can help to secure the mobile devices used in your practice:
1. Password Protect – Makes sense, right? Every devise that may contain personal health information, or have access to personal health information should be password protected. However, a password is only as secure as you make it. Your cat’s name, for example, is not a secure password. If you never change your password it’s not going to remain secure. Microsoft recommends that passwords be:
- Long enough – At least eight characters
- Complex enough – A password should include some combination of letters, numbers, symbols and punctuation. The greater the variety of characters in your password, the better.
- Varied – To keep strong passwords effective, they should be changed often. Microsoft recommends changing them every three months.
2. Encrypt – Every device that has access to or could store personal health information should be encrypted. Many smart phones and tablets provide you with the ability to encrypt the data stored on them, but it is often turned off by default. You need to enable the encryption. Leading edge tablets like the HP Slate 2 offer hardware-based encryption. The Slate 2 includes an extra chip, called a TPM (Trusted Platform Module) chip that allows you run bitlocker drive encryption. This level of encryption helps to ensure that data stored on a device is not tampered with, even if it is lost or stolen. In HIPAA compliance terms this is known as “encryption of data at rest”.
3. Inventory – Maintain a complete inventory of the devices that have access to your secure data. A single physician practice could easily have over a dozen devices accessing secure data so it’s important to keep a complete list of those devices and who is responsible for them. As a physician you may have a desktop computer, a fast, lightweight, solid state drive computer, like the HP Folio 13 Ultrabook, a smart phone and a tablet computer, all of which you use to access health information. Your office probably has a desktop in the reception area, another desktop in the scheduling area and a secure server sitting somewhere in the office. That’s seven devices right there, before we get to the devices your partners, physicians assistants, nurses and other providers may have. Don’t overlook older, “dumb” devices like handheld dictation recorders. If patient notes are recorded for later transcription or entry into an EMR system by a medical transcriptionist that is also PHI, which means the recorder should be protected as well as you would protect a smart phone.
4. Create a Policy. Have a policy in place so that everyone knows what to do if a device is lost or stolen. Be certain that everyone understands how important it is to report potential problems. There are mobile security software options that can help with lost or misplaced devices. The best will both locate and optionally completely wipe the device clean. In fact, both the HP Slate 2 and the HP Folio come with Computrace, an enterprise class computer management, data protection and theft recovery solution, built in.
5. Educate your team. Be certain that team members understand how important data security is to you and your practice and remind them of the importance on a regular basis.
The benefits of adding mobile technologies to your practice are numerous, but these additions should be implemented with care. Taking the steps necessary to protect patient data when you add new technology to your practice is a critical part of becoming more mobile as a health care practitioner. The HITECH Act requires Health and Human Services to post a list of “breaches of unsecured protected health information affecting 500 or more individuals”. Making sure your mobile devices are properly protected by passwords and encryption means never having to appear on the HHS Wall of Shame.
This post is sponsored by HP Healthcare, however opinions on products and services expressed here are my own. Disclosure per FTC’s 16 CFR, Part 255.