Everyone is talking about security for mobility and patient centric communications. Our focus is on patient specific communications, and protecting information when caregivers need to have a conversation about a patient or share an image, video or text. There are several areas that you should think about when evaluating clinical security data. This blog touches on several of them.
Internal versus external storage of data
You need to ask yourself: Do you want to have all this data stored in the cloud on a server provided by the application vendor and shared by many organizations, or do you want to have all the patient data kept in your EMR (i.e. controlled by your hospital)? Most hospital policies mandate that all patient data be stored internally as it is easier to have an audit trail on who has access to the data.
Who can access the data?
Obviously, you want your caregivers to be able to access the data on an as-needed basis. So, you want to set up roles and permissions for each role. For example, who is allowed to see wound pictures and who can take pictures? One important requirement is that these permissions need to be linked to the regular network and badge permissions. I recall a huge breach in a retail organization that was created when an employee left the company and his network credentials were disabled but his mobile application credentials were being used after he joined a competitor! The entire mobile project was suspended as a result of the breach.
Where should caregivers access the data from?
Some caregivers working on a shift will want to see that data while in the hospital, while others might want to have access from home or on the road. Setting up the correct security infrastructure to allow access from everywhere is always challenging and requires a knowledgeable vendor working with the hospital security team. The goal is to keep the data encrypted and inside the hospital while allowing mobile devices to see the data from the outside. Considerations on where to locate the communications servers (i.e. DMZ – which is sort of half in and half out of the firewall versus opening access to server inside the firewall) are crucial discussions before installing the software.
What devices are allowed access?
Hospital-owned devices are easier to control and there are many MDM (Mobile Device Management) applications in the market that allow organizations to control these devices both in terms of security and profile. These applications allow you to decide what applications can be installed on the device, provisioning it on your network and disabling the device, if necessary.
With the BYOD (bring your own device) trend becoming popular, securing personal devices is becoming critical. If I am a physician using my mobile device, I don’t want anyone to install software that can control my device. The challenge therefore is not just to ensure the data is encrypted and proper credentials are used, but that it is the caregiver who is communicating and not someone who spoofed his/her phone.
I remember that, maybe 5 years ago, the entire security questionnaire was “just a checklist.” Since the data breaches in the last few years, having sophisticated tools and personnel to assess the security risks in a project is essential for the CIO of an organization. Having a data breach is the one sure way to ensure a very short tenure in an enterprise CIO position. If you want more details on how to set up your mobility program and testing against malicious penetration and denial of service attacks, feel free to drop us a line at firstname.lastname@example.org.