Things to consider to shore up data security and to avoid stolen PHI
Does a day go by anymore that we don’t hear about another data breach? It seems hackers continue to look for ways to threaten our IT security. And the healthcare world is an ongoing target where ransomware, phishing emails and other dirty tricks of the trade to infiltrate our personal information.
Smartphone devices are not immune to these data security breaches and neither are the applications that are developed and loaded onto these devices.
So, as we reflect on #NHIT week 2018, how do hospitals balance the reliance and need for technology with the covenant they have with patients to keep their data safe?
“It’s a real challenge,” explained Ben Whitehill, Senior Director, Technical Operations & Infrastructure Services at PatientTouch Solutions. “In fact, HealthCare Analytics News recently reported that medical records are highly sought after, sometimes commanding as much as $300-$400 per record on the dark web.”
As IT departments, clinical teams and hospital executives select IT clinical technology to support patient care and collaboration, they must always consider this risk. According to Whitehill, security and risk mitigation must be viewed from various angles.
He shared a few ways PatientSafe addresses these 5 data security factors:
1. In the design of our app:
Data security is purposefully and carefully designed into the PatientTouch app through a series of physical safeguards, technical safeguards, and administrative safeguards.
Since its inception, PatientTouch mobile devices do not store Personal Health Information (PHI). Even though there are complex integrations between the PatientTouch System, the hospital’s EMR and other alerting and notification systems, the smartphone receiving patient data is simply a “thin client”. No data actually resides on the device – so, if ever lost or stolen, there is no data breach or loss traced directly to the phone or app.
2. Authentication and authorization:
While PatientTouch has robust care team routing capabilities to expedite care collaboration, these role-based access paths – integrated with a hospital’s active directory – are carefully defined through a very thorough and in-depth structured process before we go-live.
Early in the PSS client engagement process, we determine which care team members should be allowed to access the PatientTouch System and work to define role-based workflows and define unique permission sets for all unique user roles. These determinations are made over multiple sessions to truly understand a client’s detailed structure. Our system also enables the hospital’s IT department to add or retract access for any employee in real-time – adding an immediate failsafe level of HIPAA security to the system.
3. Device security:
PSS always recommends having the device automatically go into “lock” mode after a pre-defined period-of-time. We also encrypt the devices in use, on the backend, and we require an encryption layer between our application and the database servers. This added layer, not only provides added data security for our app, but for all the hospital systems connected within the app (i.e. clinical information systems, alerts and monitors, as well as IT telephony and wireless infrastructure).
4. Redundancy, redundancy:
Since data does not reside on the encrypted mobile device, PSS wants to ensure that where it does reside is secure. We do this by setting up multiple data centers. Every application cluster we manage is fully redundant. We have multiple secure nodes and could, if necessary, withstand the loss of servers – even a whole data center – as information is secured elsewhere. While each client configuration is slightly different, there is one thing we make sure is common – that they are prepared and can be restored quickly.
5. Our playbook:
Before we ever launch our application, we work with our clients to develop a playbook. This includes a detailed review of their infrastructure, devices used, security architecture, how we integrate with clinical systems in place, penetration studies, and more. We are currently upgrading our support for multifactor authentication and will be working with SAML (a single-sign-on authentication structure) to minimize the impact on the user-base, thus improving overall adoption. This is particularly important in a Bring-Your-Own-Device (BYOD) structure that a hospital may want us to employ.
Whitehill explained that PatientSafe’s overall goal is to work with our customers to implement best practices and to provide their clinicians with the optimum security of their patient data while on their mobile devices.
PatientSafe Solutions recommends a thorough review of all dimensions of your security infrastructure and that a risk mitigation plan is put in place as a standard best practice with whatever system you use.
To learn more about our data security practices, contact us today at 858-746-3322 or chat with us on our website.