The value of customer data is a top priority for any enterprise. Patient health information (PHI) carries higher security stakes, requiring mobile device management (MDM) and accompanying strategies to secure this high-value information and ensure patient privacy.
Mobile strategies for HIPAA compliance
When users access PHI using an unsecured device, they are violating the Health Insurance Portability and Accountability Act of 1996, better known as HIPAA, according to HIT Infrastructure. Such violations bring costly fines and lots of bad press.
Further complicating the issue, doctors and other professionals accessing the data may not even be employees of the hospital where they are providing patient care. IT must prepare for this BYOD scenario. Creating BYOD policies for healthcare organizations requires:
- Defining cases for acceptable use
- Detailing privacy and data ownership expectations
- Approving devices and device provisioning
- Crafting security policies for BYOD devices
- Evaluating risks and liabilities
It’s possible to bring mobile devices into HIPAA compliance by developing an MDM or enterprise mobility management (EMM) strategy and implementing the appropriate security policies to secure PHI and institution-owned or BYOD devices. Achieving such compliance may require bringing in a third-party professional services firm that specializes in mobility compliance. You should also be working with your outside auditor at every step of your mobile device rollout.
HIPAA compliance also extends to texting, group chat and instant messaging within a healthcare enterprise. There’s a growing list of HIPAA-compliant messaging solutions that target healthcare enterprises. Client apps for these solutions are often available for:
- Corporate-owned devices
- Employee-owned devices
- Corporate-owned PCs
- Personal PCs
Physical working environment
The healthcare industry workforce is on their feet for eight to 12-hour shifts, with much of that time spent responding to immediate patient needs and emergencies. These working conditions make it easy to leave a mobile device on a counter or a table; the open nature of a hospital makes it easy for somebody to walk off with the device inconspicuously, never to be found.
Having MDM with geofencing, which uses a mobile device’s GPS to create a boundary that triggers a response when a user crosses it, can also protect PHI from leaving the healthcare facility. For example, you can set a policy that blocks access to hospital applications that contain PHI from all corporate and BYOD devices running an MDM client app as soon as the user leaves your facility with the device. When they return for their next shift, the geofencing solution restores their application access.
Wearables and connected devices
Wearables are becoming increasingly popular with consumers, and the healthcare field is finding ways to use wearables for patient monitoring outside the traditional healthcare setting. Healthcare providers may issue patients a wearable for use in monitoring a health issue. There are also patients who already own a wearable device that captures data that might help their doctor to further monitor their health condition.
Healthcare enterprises face many of the same challenges as a commercial enterprise when securing wearables, but they have the added need of strict HIPAA compliance. The amount of PHI data these wearables generate also prompts the need for strong data governance and an MDM strategy. Your data management policy will need to account for:
- Patient data ownership
- Cybersecurity protections over the data in transit and at rest
These challenges extend to medical devices such as insulin pumps, defibrillators, CPAP machines, cardiac monitoring devices and oxygen tanks equipped with IoT sensors for remote monitoring. These medical devices provide real-time information to caregivers and clinicians while enabling the patient to receive care at home. Sensors Online explains these devices face the following challenges:
- Design: The design process for a remotely monitored device is different from those designed for in-hospital use and different from common IoT devices, such as telematics or security devices.
- Certification: The often-underestimated wireless device certification process, which is separate from the FDA’s testing for all new wireless devices.
- Collaboration: Connectivity challenges are posed from manufacturers all the way down to the people who manage these devices.
The OWASP Secure Medical Device Deployment Standard provides a guide and checklist for deploying these network-enabled devices. You can expect to see MDM vendors evolve their IoT security portfolios to secure these devices. Blockchain, the secure digital ledger, shows promise in helping secure medical devices, according to Network World, but it is an emerging security technology that is still suffering performance hurdles.
Mobile device management in healthcare organizations
The prognosis for implementing mobile device management in a healthcare enterprise is healthy if the healthcare institution’s IT staff works closely with their user community and outside auditors to implement HIPAA-compliant mobile solutions that empower clinicians and other healthcare professionals to serve their patients better.
This post originally appeared on Mobile Business Insights on January 11, 2018. The site is no longer in publication.
My name is Will Kelly. I’m a technical writer and content strategist based in the Washington, DC area. I’ve written for corporations and technology publications about such topics as cloud computing, DevOps, and enterprise mobility. Follow me on Twitter: @willkelly