Along with reducing paperwork, easing administrative burdens, and generating some cost savings, the rise of electronic health records (EHRs) in health care settings has significantly increased the risk of data breaches. Mobile devices alone, according to one recent industry news report, were responsible for 116 breaches between Sept. 22, 2009 and May 8, 2011—exposing the personal health information (PHI) of more than 1.9 million patients in the process.
It’s a modern fact of life that PHI is now more mobile that ever—traveling not just on smart phones, tablets, and laptops, but on a host of mobile media, including easy-to-lose flash drives.
As healthcare CIOs struggle to balance their responsibility to safeguard patient data against the need for health care professionals to access that information, they’re adopting a variety of approaches, including a return to mobile media encryption and implementation of in-house mobility management programs.
A good example can be found at Morristown, N.J.-based Atlantic Health System, which ranks among the best and most wired hospitals in the U.S. In addition to some 8,000 desktops and 1,500 laptops, the health system includes an ambulance company and a home care company. Employees across the system’s footprint, of course, carry a broad range of mobile devices and mobile media.
Linda Reed, RN, MBA, vice president and CIO at Atlantic, recalls arming all of her organization’s laptops with pre-boot encryption a few years back. “It was lucky we did,” she says, “because just after that our home care division had a couple laptops stolen and we would have been in a bind.”
Next, Reed and her team waded into doing mobile media encryption, but the technology was still a little clugey and the workforce wasn’t quite ready, so they backed away from it, focusing instead on encrypting all of Atlantic’s back-up drives. Reed also made it a matter of policy to eliminate tape storage, opting for disk-to-disk back-up right on site.
“We might need to revisit tapes at some point again for temporary back-up,” Reed says, “but right now we don’t do that; everything stays on site and it’s encrypted.”
Roughly six months ago, Atlantic revisited mobile media encryption, thanks to improved technology and a growing awareness in the healthcare industry that data breeches attributable to mobile are serious business.
Today, if you put any kind of flash drive or portable media card into any Atlantic device, you will receive a message informing you that you must encrypt it before proceeding.
As part of the health system’s budding mobility management program, Reed says Atlantic will soon be able to enforce PINs on all mobile devices, track them wherever they go, and wipe them remotely as needed.
The program itself will be rolled out in waves. The first step includes a marketing campaign, which Reed says will provide ample warning to all staff regarding the coming changes.
For health IT professionals at organizations lacking the funds to put such guardrails in place, Reed says the only thing you have in your favor is education and awareness. Her suggestions: educate senior management on the threats and consequences by referring them to breach reports published regularly via HHS.gov. Specific to mobile, she also urges health IT professionals to implement an awareness campaign around mobile media, such as The Dangers of Flash Drives.
“Because it’s a two-pronged issue,” adds Reed. “It’s not just what you’re taking out of the organization, it’s also what you’re bringing back in.”
What do you think?
As a B2B journalist, John Farrell has covered healthcare IT since 1997 and is Intel’s sponsored correspondent.