Taking Security on the Road: Steps You Can Take to Secure Your Mobile Devices
Christopher Ryan, Esq.
Giarmarco, Mullins & Horton, P.C., Troy, MI
From the Spring 2013 issue of The Communiqué
The creation of the Medicare/Medicaid Electronic Health Record (EHR) Incentive Program (commonly known as the “Meaningful Use Program”) gave physicians and hospitals a strong incentive to integrate EHRs into their practices. (For more information regarding Meaningful Use, see “Proposed Meaningful Use Stage 2—What it Means to the Anesthesia and Pain Communities” published in the Spring 2012 issue of the Communiqué.) As part of their EHR system, many anesthesiologists have started using mobile devices such as laptops, tablets and smartphones. If used properly, these devices allow access to patients’ EHRs from anywhere that a WiFi connection (or cell phone signal) is available. This often results in quicker responses to questions from patients, families, and other providers. While the use of mobile technology has benefits, anesthesiologists choosing to utilize this technology must pay special attention to making sure they do so in a manner that conforms to their group’s or facility’s security policy and protects the privacy of the information.
This article will outline some of the various mobile security tools anesthesiologists can implement to aid in protecting their patient’s EHRs.
Draft a Mobile Use Policy
Anesthesia groups should develop and implement a mobile use policy, or include specific provisions in their security policy regarding mobile use. To develop a mobile use policy, the group must first decide whether it will allow its employees to access EHRs via mobile devices at all. Assuming this will be permitted in some fashion, the group must consider whether anesthesiologists will be permitted to use their personal mobile devices, or whether only “company owned” devices will be permitted to access secure information. Groups should also contemplate whether all mobile devices are permitted to access EHRs or whether access will be restricted to certain types of technology. For example, a group may decide that laptop computers are permitted to access EHRs, but tablets and mobile phones are not. Groups may also want to implement some of the various specific suggestions contained in this article. After an effective policy is drafted, the group should train its employees on the provisions of the policy and how they can achieve compliance with the same.
Follow Your Organization’s Policy
Reading and complying with the group’s or facility’s policy is the number one step anesthesiologists should take when implementing mobile technology and choosing which mobile security techniques to utilize. A group’s or facility’s policy may contain specific requirements that are not discussed or that differ from the items outlined in this article. Questions concerning a group’s or facility’s policy, or how to best secure a mobile device, should be directed to the group’s or facility’s Security Officer. Depending on the type of mobile device the anesthesiologist intends to use, the manner in which EHR is accessed, and the software the group or facility uses to store the EHRs, some of the items outlined below may not be applicable to all anesthesiologists. The Security Officer will assist the anesthesiologist in making sure he or she is using mobile technology in a manner that is compliant not only with the HIPAA Security Rule, but with the laws applicable in their specific jurisdiction.
Keeping mobile devices physically secure is the most obvious type of mobile security. Because mobile devices are, by definition, “mobile,” they are easily stolen or misplaced. While nobody can completely prevent their mobile devices from being stolen, everyone can take steps to decrease the likelihood of a theft. Instead of leaving a laptop on the back seat of a car, providers should consider locking it in the trunk or not leaving it in a car at all. Do not leave a tablet sitting on the table at the coffee shop; instead, bring it with you when you get a refill of your coffee. If an anesthesiologist uses his or her cell phone to access patient information, he or she should not let their child borrow it on the weekend. Finally, if it is utilized in public areas, anesthesiologists should consider protecting the screen of their mobile device from being viewed by unauthorized individuals by using a privacy filter.
Simply having a password to gain access to mobile devices is not enough. Providers need to make sure that they choose unique passwords that are not easy to guess. Studies have suggested that the most common passwords include “123456,” “password” and “iloveyou.” Common categories of passwords include using your telephone number, spouse’s name or pet’s name. These common passwords should be avoided because they are relatively easy to guess. Instead, anesthesiologists should use a password that is easy for them to remember, but hard for unauthorized users to guess. Generally, passwords should be at least six characters in length, and should include upper and lower case letters, one or more numbers, and one or more characters such as “!”, “#” or “@”.
Anesthesiologists should also remember that using the same password for all accounts means that if someone gains access to one account, he or she gains access to all accounts. Therefore, anesthesiologists should use unique passwords for each piece of software that allows them to access EHRs, change their passwords frequently, and never store passwords in unsecure locations. For example, placing a sticky note on a laptop that says, “Password: ComMun!que2013ABC” renders an otherwise strong password virtually meaningless.
Auto-Logoff or Timeout
Most, if not all, mobile devices have built-in features that automatically log the user off (or lock the device) after a set amount of time of inactivity. Anesthesiologists should turn this feature on, and they should require a password to be entered in order to “wake” the device.
Saving Information Locally
Information may be stored on the mobile device itself, or it may be accessed remotely. The benefits of storing information remotely (i.e., not storing information on the device itself) is that the information is more likely to be up-to-date and require additional authentication to access the information beyond simply having access to the device. Some organizations may choose to allow anesthesiologists to store information locally on the device so that it can be accessed at any time without a connection to the internet. Having locally stored information means that if the anesthesiologist’s mobile device is lost or stolen, an unauthorized user may be able to obtain patient information with greater ease. (See “Remote Wipe” below). If information is stored locally, anesthesiologists should be sure to frequently back the information up to a secure server. Doing so means that if your device is misplaced or stolen, the information will not be lost.
Many mobile devices contain a feature that allows the owner to erase the memory or hard drive of the mobile device remotely in the event it is misplaced or stolen. Check with the manufacturer of your device to learn more about whether your device contains this feature, and if it does, make sure it is set up and ready to be activated. If it does not, talk to your Security Officer and consider investing in software that allows this capability.
A firewall is a tool that monitors incoming and outgoing activity and blocks certain transmissions according to the user’s specifications. For example, a firewall may be programed to prevent file sharing. Virus scanning software is designed to identify potentially harmful files and quarantine or delete them as necessary. Both of these tools should be utilized by anesthesiologists, and importantly, must be kept up to date.
Where to Go for More Information
Utilizing mobile devices in a medical setting improves patient care by allowing anesthesiologists to quickly access patient information from anywhere. In the event a mobile device is stolen or misplaced, or if an anesthesiologist feels his or her mobile device’s security may have been compromised, they should immediately contact their organization’s Security Officer. Providers can also visit www.healthit.gov for more information about implementing health information technology, or contact a qualified attorney.
Christopher Ryan, Esq. is an associate at Giarmarco, Mullins & Horton, P.C. in Troy, MI. Mr. Ryan practices healthcare law, working with healthcare providers in the areas of corporate formation and dissolution, contract negotiation, and health compliance. Mr. Ryan also practices litigation with a special emphasis on defending healthcare providers faced with claims of medical malpractice. He can be reached at (248) 457-7154 or at firstname.lastname@example.org.