How to Secure Mobile Devices for Clinical Communications March 5, 2019 TigerConnect 1778 Strong security and encryption are vital to protecting patient and medical data in healthcare organizations. Medical records and patient identities are major targets for hackers and other criminals, so you need best-in-class protection to secure your systems, devices, and data. Data leaks can be very costly for healthcare providers — your organization must meet HIPAA rules and other requirements, and compromised medical records can result in hefty fines and reputational damage. At the same time, you need to give your doctors, nurses, and other medical staff the access they need to provide excellent patient care. As technology advances, healthcare providers are using mobile devices and mobile healthcare apps to give employees immediate access to patient, diagnostic, and treatment data to enhance patient outcomes. The question is how do you properly balance mobile device use against the need for robust security and data protection. Here at TigerConnect, that's something we think about a lot — here are our ideas: Decide On Your Overall Mobile Technology and Healthcare Policy The first choice you will need to make is if you're going to let staff use their own mobile devices, or if you're going to issue "work only" devices for healthcare provisions. Both approaches have advantages and disadvantages. "Bring Your Own Device" Advantages of a BYOD approach include lower device costs for you as a healthcare provider, and that your staff doesn't need to carry around extra technology. Disadvantages could be higher support costs, since there will be many different configurations, and varying levels of encryption and security, depending on the communications platform you use. Healthcare Provider-Issued Device The advantages of this approach are that you can pre-configure the devices to your organizational standards, and ensure appropriate and consistent levels of encryption and security. On the downside, your upfront and ongoing costs for device purchase and subscriptions will be higher, but your support costs are likely to be low. Additionally, your staff will need to carry around extra technology. Communicate Policies for Mobile Usage and Mobile Healthcare Apps Once you have policies in place, make sure they are communicated to staff properly. Let them know how to secure their mobile devices, what to use them for, and what is, and isn't acceptable. Provide training to educate your staff, give refresher courses, publish your mobile usage guidelines, and build education into your onboarding process. Create a Secure Environment for Mobile Clinical Communications There are many ways to send and receive healthcare information and communications, but at a bare minimum, you must ensure proper encryption of data, both in transit and at rest. This means you can never use encrypted, plain SMS or email messaging — these are easily intercepted. The best way to achieve proper encryption and security is to use properly-encrypted communications technology. This could mean a complete Clinical Collaboration and Communication (CC&C) platform. Not only will you have HIPAA-compliant, secure messaging, you can also get access to electronic health records, diagnostics, and treatment data, wherever you are. Establish Proper Security on the Mobile Devices Themselves You always need to look at the weakest part of your healthcare security deployment. Even if you have a robust, secure, encrypted CC&C platform, mobile devices themselves can still be an attractive attack vector for hackers. This means you need every mobile device to have proper levels of encryption and authentication before the user gets access to sensitive data. There are several ways to achieve this: Ensure that all data on the mobile device is encrypted. Require extra authorization to access certain functionality and data via the device. Regularly patch any identified security vulnerabilities on the device. Get appropriate firewalls in place that can properly identify authenticated devices. Use smart algorithms to request additional identification if something unusual is happening with the device (e.g. it is trying to access data outside the provider's premises, or at unusual times.) Implement multi-factor authentication, requesting a separate code from a smart card, or via fingerprint or other biometric identification. Periodically Audit Mobile Devices Part of your healthcare security process should be auditing your CC&C platform and your mobile devices, to identify any strange usage or potential vulnerabilities. Carry out regular audits of your healthcare information and communication systems to ensure everyone is using their devices properly. As you can see, there are several practical steps you can take to secure your healthcare communications. Make sure you get robust policies in place, choose how you want to deploy devices, create a secure CC&C environment, secure your devices and apps, and carry out occasional audits. Taken together, these steps can radically improve the security of clinical communications across mobile devices.