Bring Your Own Device

Transcription

1 Bring Your Own Device A White Paper Prepared by Bob Wolverton, Ed Prepared by Bob Wolverton, EdD Northwest Regional Telehealth Resource Center bob@nrtrc.org

2

3 Bring Your Own Device What is the state of the industry regarding the burgeoning demand from a significant number of healthcare providers to use their own tablets or smart phones while working with patients? The Bring Your Own Device (BYOD) trend is a topic of discussion throughout the Telehealth industry and few solid solutions have been offered. The Challenges The challenges surrounding BYOD are complex and the implications are serious for providers, patients and organizations. For providers, it is convenient to use their personally-owned tablet and make contact with a patient or a colleague and discuss a medical situation. For patients, it is convenient to be able to have an encounter with a provider in a quick and simple manner without having to travel to the provider s office. However, the convenience that obtains with use of handheld devices must be weighed against the overriding concern of patient privacy, as defined by the Health Insurance Portability and Accountability Act (HIPPA). HIPAA sets guidelines for protecting patient information and sets requirements necessary to ensure patient privacy. To that end, HIPAA sets forth guidelines for protecting patient health information and requires that healthcare organizations be able to detect security breaches that can be used to illegally acquire patients protected health information (PHI). In addition, HIPAA rules require health care providers to have a means of tracing security breaches If they occur. PHI breaches on video teleconferencing (VTC) equipment that previously had been the only means of providing Telehealth care until recently have been fairly easy to detect and trace. The newer hardware- or server-based communication systems are also capable of tracing breaches. However, BYOD brings a level of uncertainty to that monitoring and protection. Challenges include: Provider-owned devices are not intrinsically secure. Consumer-grade tablets and smart phones need not be (and therefore are not) HIPAA capable when they are sold to the public. The chances of a breach in security, therefore, increase with each device introduced into an information technology (IT) system Communications apps, while often times encrypted, do not offer the ability to determine if an encounter has been violated (hacked), nor do they offer the capability of tracing the source of the breach. Microsoft recently acknowledged that their product, Skype, had been hacked and several million accounts may have been at risk. Microsoft states that no data were compromised in the attack, yet this event demonstrates the potential threats to PHI when readily-available apps are used to provide health care In addition, some service providers record each conversation held on their systems and those recordings may be at risk as well BYOD 1

4 Additional HIPAA implications occur when one considers that the conversations conducted on handheld devices may not be held in secure locations and may be readily overheard by unauthorized individuals. While this is not an intrinsic failure of the devices, their ease of use may be seen as facilitating these potential breaches Selected BYOD Policies Because the demand for tablet- and smart phone-based communication is increasing at a tremendous rate, IT departments and Telehealth networks are trying several approaches to securing devices and making sure provider compliance is enforced. Some measures reported by NRTRC member networks include: A complete ban on privately owned devices. Practitioners are only allowed to use devices that are supplied by the employer and secured in such a way that they are HIPAA compatible (see the security discussion that follows) Requiring providers to agree to the employer s adding software to the device that allows for secure communication with patients and colleagues and that requires pass codes and other security measures to access PHI or conduct patient encounters Issuing devices and requiring providers to sign a waiver stating that they will leave all the software loaded onto the device in place and agreeing that their employment will be terminated should the provider violate this requirement Requiring that any access to PHI be conducted through a web portal or virtual private network (VPN) and that PHI not be stored on the device Security Considerations For an organization to be compliant with HIPAA requirements, handheld devices must be secured in some way. There are a number of options, some more attractive than others. Using a server-based communication method that is HIPAA capable is one way of ensuring that conversations can be protected and interceptions be recognized and traced. Polycom, Cisco- Tandberg, Vidyo and many others offer encrypted and secure server-based communications options Even with secure communications, however, devices themselves can be easily stolen, lost or misplaced. Data stored on the devices can be easily compromised unless certain measures are taken. One option is for the IT department to supply the devices and to lock them down, clearing the device of any but authorized communications applications, disabling the addition of unauthorized apps to the devices and adding password protection for access. Some password protection programs will wipe the device, that is, erase everything in device memory, if a certain number of unsuccessful log-in attempts are made. While this is a fairly secure system, it is unattractive to providers who may want to use the devices for personal uses A less draconian method of securing PHI and other sensitive information is to place apps that can contain sensitive data into a container. Containerized apps are, basically, sequestered on BYOD 2

5 the device by various methods. Access to the sequestered apps requires use of passcodes or other security features. Apps can be erased (or the whole container can be wiped ) if too many unsuccessful attempts to activate them are encountered. This approach may be more attractive to providers because it will allow fuller use of the device s capability (access is provided to both personal and patient-related apps) while still protecting PHI or company confidential information. Containerization can be used on providerowned as well as facility-owned devices. Containerization may also be attractive to IT departments because they can control apps in many ways. They can offer company-developed apps for the container or control third-party apps. Devices that are lost or stolen can be wiped remotely, or located. Devices owned by individuals who leave the company can be wiped remotely, protecting sensitive data from compromise. Even with all these security options available, vigilance is necessary in order to ensure that only authorized devices are used when dealing with sensitive information or processes. Perhaps the simplest solution is to have a provider-only wifi network with pre-registration, secure login and encryption included. However, that option does not protect data stored on devices that are taken outside the facility, as may be the case with on-call providers, who may need to use a variety of different wifi networks outside the hospital environment. Closing Thoughts The era of BYOD has started. Networks are struggling with a means of allowing device use without compromising PHI and without dumbing down devices, which can alienate owners or users. At this time there are nearly as many unique solutions as there are Telehealth networks. As BYOD becomes more widespread (at least as the demand becomes more widespread), solutions will be found. Until there are attractive, easily-implemented solutions, NRTRC recommends that networks that are considering allowing providers to bring personally-owned devices to work hold a series of meetings with their facility s Compliance, IT, Administration departments and provider representatives to fully discuss the needs and concerns of all parties and then to formulate a solution to this new and challenging era of Telehealth care. BYOD 3