I recently contributed to Health Management Technology magazine’s Q&A on Healthcare Going Mobile that explores the challenges, concerns and best practices for implementing a successful mobile strategy. One of our top priorities at PatientSafe is ensuring mobile device security.
Security is both a technology and policy consideration, so we work closely with our hospital partners to address it proactively as part of our technology assessment process. Clinicians expect mobile access to key clinical information anytime, anywhere, for a comprehensive view of the patient care. This opens a new level of security concerns for data is accessed outside the hospital’s secured network. PatientSafe helps our partners clearly identify the need to externally access patient information based on the clinician’s workflow. If there is a strong need for external access, we help hospital IT stakeholders design access for specific types of clinical users and roles. In addition to these access safeguards, we also design device security. For example, no data lives on PatientTouch physical devices. Data residing on a mobile device opens up all kinds of security concerns and introduces burdensome, expensive device management practices. For hospital-supplied phones, the devices must be wiped at the end of each shift. BYOD phones must be wiped remotely, requiring that users – who may not be hospital employees – download additional software and give the hospital administrative access to the to their personal device.
The biggest threat to security on a mobile device is a loss of a device that has PHI stored on it. The PatientTouch platform adheres to the following security protocols, which we recommend for all mobile solutions:
- Data is not stored on mobile devices
- TLS encryption for all client-to-server communication
- Use of expiring authentication tokens
- HIPAA-compliant notification banners and pop-ups, i.e., PHI is not included
- Application-level, time-based security screens to protect on-screen data
- Individual unique user ID and passwords
- Ensure the application can match real-world workflows such that risky practices like sharing UN and PW workarounds just don’t happen.
On the policy side, PatientSafe partners with hospitals to understand workflows and build appropriate security policies prior to technology adoption. For example, when a customer adopts our clinical communications platform, we institutionalize policies on the information that can and can’t be communicated via the mobile device. This becomes a layer of workflow security protection to avoid workarounds to standard workflow processes.