When Eric T. Moser, MD purchased an iPhone 5 over a year ago, he immediately installed a four-digit security code to protect his data in case of loss or theft. Like many neurologists, he uses his device for personal and business purposes and has a variety of apps, including one for his electronic health record (EHR). In that sense, Dr. Moser is a typical physician, according to the Cisco report BYOD (Bring Your Own Device) insights 2013. The report found that 88.6 percent of health care workers use their smartphones for work purposes, surpassing percentages of legal, manufacturing, retail, and even banking sector employees.
But Cisco discovered that, unlike Dr. Moser, 41 percent of those in the health care field who bring their own device to work don't protect their phones with a password. And equally troubling, Cisco contends, is the finding that 53 percent access unsecured Wi-Fi networks with their device — a well-known vulnerability in the cybersecurity industry. In health care, the stakes are greater, of course, because of the Health Insurance Portability and Accountability Act (HIPAA) of 1996, which established in the Privacy Rule a set of national standards for the protection of certain health information, and in the Security Rule, standards for protecting certain health information that is held or transferred in electronic form.
Before the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act, the imposition of civil monetary penalties was limited to a maximum of $100 per violation and a maximum aggregate penalty of $25,000 per year for each violation; subsequent to HITECH, however — as part of the Final Rule released in January of this year — the maximum penalty for a HIPAA violation rose to $1.5 million.
INTERVENTIONS TO CURTAIL SECURITY BREACHES
Since the Final Rule extended HIPAA compliance to include any vendor that “creates, receives, maintains or transmits” protected health information (PHI), there has been a new surge of interventions to tighten security risks. Covered entities — including health care providers, health plans, and clearinghouses — must perform risk analyses as part of their security management processes. Because implementation of those policies includes training of workforce members, many physicians are participating in sessions devoted to instituting safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including those associated with the disposal of such information.
But this raises a conundrum for organizations whose employees use their own devices such as personal smartphones, tablets, and computers. Indeed, Dr. Moser, who works for a multispecialty clinic, was astonished when IT department personnel asked him for access to both his iPhone and iPad so that they could wipe out or delete his data if his devices were lost or stolen. “If I refused permission, they said that they would deny me access to office e-mails,” said Dr. Moser. Cisco was interested in this issue as well: its survey revealed that if a security issue were to arise, 86 percent of workers said that their employers would be unable to remotely wipe their device's data.
“From a legal point of view, I think the hospital is justifiably concerned about protected health information,” said Joseph S. Kass, MD, JD, associate professor of neurology, psychiatry, and medical ethics and neurology residency program director at Baylor College of Medicine. “It also wants to avoid being seen as negligent in the way they protect information, especially since it seems that under HITECH, there is a penalty for information leakage even if the entity did not know or could not reasonably know about it,” he explained. “Notably, the physician's privacy does not seem to be protected the same way as the patient's privacy in this situation,” he added.
Some institutions are responding by providing devices for their employees. “We issue iPhones for our physicians, physician extenders, and nurse/administrative managers for access to Epic with encryption, log-on protection, and automatic wiping of the device after 10 failed password attempts,” said Gregory L. Barkley, MD, member of the AAN Medical Economics Committee and clinical vice chair in the department of neurology at Henry Ford Hospital. “Like everyone else, we struggle with [those who bring in their own devices] and we have progressively locked down our network,” he said. “Currently, if anyone wants to [bring in their own device] and go beyond the guest wireless, they have to have Airwatch, a mobile device management program that keeps devices secure, installed by our IT staff,” he said. He explained that his institution has already established strong security measures mandating use of IT-issued USB devices with progressive disciplinary actions for violators.
While these dilemmas are far from solved, the potential for security breaches is increasing and extends well beyond password protection and Wi-Fi access, experts warn. According to the survey, 48 percent of work smartphone users do not disable their Bluetooth features, making it possible for PCs to scan and download data. Moreover, as we download additional mobile programs, such as EHR apps, we become more vulnerable to violations.
Eric M. Cheng, MD, a physician-informaticist and associate professor in the department of neurology at the David Geffen School of Medicine at the University of California, Los Angeles, said that his institution allows users to bring their own mobile device, but starting in early 2014, it will require the installation of Airwatch on that device. Without it, employees will no “longer be able to access university email, calendars, contacts and tasks on mobile devices that are not enrolled in the program,” Dr. Cheng said. The university will pay the license fee for each employee to enroll two devices. For any additional device, the employee will pay the cost of an additional site license.
Cell phones enable another tempting feature that can significantly improve communication but, if not addressed, could result in HIPAA violations: text messages that include protected health information. In an April 2013 American Journal of Public Health article, Hilary N. Karasz, PhD, and colleagues reported that there are myriad risks in sending text messages that contain PHI. One problem is that once the text message has left the realm of the vendor or aggregator, it is under the domain of wireless telephone carriers with which the health department would have no contractual agreement for protecting PHI. In addition, the end user who may not password protect his or her mobile phone may make text messages vulnerable to access by unauthorized individuals.
“These risks can be mitigated, but not eliminated,” said Dr. Karasz, who works for the public health department for Seattle and King County. She advised that since people prefer to be reached by text message, it is incumbent upon the organization to develop policies and procedures that will allow them to use this tool.
Dr. Karasz pointed out that text messaging is not 100 percent secure, and that because standard SMS (short message service) cannot be encrypted, there the risk of a message being seen by someone other than the intended recipient exists along the entire pathway from sender to telecommunications carriers to the recipient. “Organizations or individuals who send PHI via text messages, therefore, are incurring the risk of a breach; however, risks can be reduced, if not eliminated, with training, careful selection of vendors, patient education, and policy,” she added.
Dr. Avitzur, a neurologist in private practice in Tarrytown, NY, holds academic appointments at Yale University School of Medicine and New York Medical College. She is an associate editor of Neurology Today and chair of the AAN Medical Economics and Management Committee.
HOW TO MITIGATE POTENTIAL SECURITY BREACHES/RISKS
How can neurologists continue to enjoy using our mobile devices but mitigate the potential risks to HIPAA privacy and security rules?
- “Use password protection and opt for more than the standard four digits, which can be cracked easily by specialized software. Instead, turn the ‘Simple Passcode’ option off and set up a complex password, and don't forget to activate the on-board encryption feature (available with iOS and Android devices),” advised David A. Evans, MBA, chief operating officer of Texas Neurology and chair of the AAN Practice Management and Technology (PM&T) Subcommittee.
- Install an app with remote locate and “wipe” functions, such as “Find My iPhone” or “Lookout.” “The fingerprint scanner for iPhone 5s and new remote wipe/lockout features makes this the most secure mobile device yet,” said Neil A. Busis, MD, chief of neurology at the University of Pittsburgh Medical Center, Shadyside. “In the past you could program no need for a password to go beyond the lock screen for 15 minutes or more, whereas now the scanner allows you to require authentication immediately with minimal hassle,” he added.
- “Avoid public Wi-Fi or limit access carefully and use VPN when available and don't keep data of a sensitive nature on your device unless it is encrypted,” advised William S. Henderson, administrator of the Neurology Group, LLP in Albany, NY, and a member of the AAN PM&T Subcommittee.
- Use a different alphanumeric password on each health-related app.
- “Encourage your organization to develop policies that allow text messaging under certain circumstances. Do not risk litigation for a security breach on one hand or loss of privacy to the client on the other without a strong rationale,” cautioned Hilary N. Karasz, PhD, who works for the public health department for Seattle and King County and wrote an article about potential security risks in the American Journal of Public Health.
- Protect yourself from “Apple Picking.” Recent media reports have described the growing crime trend of iPhone theft, often straight from users' hands. Don't talk on your device while walking around town or in public areas like shopping centers, especially while using ear buds.
- Finally, delete all stored health information before discarding or reusing the mobile device, advises the Office of the National Coordinator for Health Information Technology.
—Dr. Orly Avitzur