If you talk to security professionals in healthcare, they will tell you that physicians and healthcare don’t mix. If you talk with physicians, they’ll tell you that security gets in the way of them doing their job. So let’s discuss what makes the physician’s activities difficult to protect.
Physicians went through more training than most to be able to provide the best medical care to patients possible. With advances in tablets, smartphones, mobile applications and ubiquitous internet access, physicians are providing care in hospitals, in medical offices, over videoconference and even over the phone on a beach while they’re vacationing.
They may use their Mac in their office, their tablet in the hospital and their smartphone when they’re away from both locations. In order to facilitate the delivery of care in the most effective and efficient way, physicians demand access to patient records and require the convenience of being able to access them from anywhere and from whatever device is convenient for them.
So when a physician demands the ability to snap a photo of a wound or patient condition and use their iPhone to send it to a colleague in real time for immediate feedback, how can organizations balance those needs with the regulatory scrutiny that demands patient record confidentiality and a strict accounting of disclosures?
Many organizations have looked at mobile device management (MDM) as an answer, but it doesn’t resonate well with physicians. MDM applications certainly can provide layers of control on a mobile device, but they also give significant control to the organization’s IT department, which many don’t like. I remember an example where a physician informed me a colleague of theirs had their mobile device accidentally erased by another hospital system and because of that, the physician refused to give any control of their device to IT anymore. Is the ability to remotely erase a smartphone or tablet truly a requirement? Keep reading. MDMs can also expose photos and information about how the device is being used to an IT administrator, unless there are policy prohibitions against such access.
Another major roadblock in using an MDM with physicians is the restriction that a phone can only have one installed. Despite the trend that health systems hire more physicians directly, many physicians maintain private practices and have admitting privileges to local hospitals where their patients can be treated. It’s common for physicians to have privileges at more than one hospital, so if each one wants to install an MDM on the physician’s phone, it’s not possible for them to comply.
Some organizations have resorted to issuing physicians corporate-owned smartphones and restricting patient record access to that device only. Although that may meet the security needs of the organization, it certainly is more cumbersome for the physician’s and adds time and complexity to his daily routine.
So how can organizations bring security into physician workflows without hindering them unnecessarily? Here are some options:
Leverage mobile apps that don’t store data. Many healthcare mobile apps are simply gateways to web-based apps which reside in a secure environment. By leveraging these types of applications for patient data access, there is no sensitive patient data stored on the phone.
Force physicians to use virtual technology. There are multiple technologies out there that can present the user with a virtual desktop or environment where the applications are being executed in a secure environment and not on their device. Although these provide good control over data exposure and the spread of malware, they can still be vulnerable to security failures on the device they are using. A keylogger or video capture malware instance on their local device could still be capturing all activity during the session and so the potential for data loss should still be considered.
Verify the security hygiene of devices upon access. Certain platforms, like Duo Security, can check the security properties and hygiene of devices the company may not own or manage, at the time it’s being used to access a protected application. If a device is missing updates or is found to have poor security hygiene, the authentication attempt can be denied with a message to the physician explaining why.
PC verification is done without an agent, and a mobile application is used to verify the security posture for a smartphone. In both cases, the app and the IT department have no authority to view or make changes to any other content or property of the device. This also empowers the physician to remediate the device deficiency themselves to gain secure access.
If a device is lost or stolen, do you need to erase it? If the security checks verified that screen lock is enabled, the device is encrypted and is protected with a fingerprint or strong passcode, the data will not be exposed to an unauthorized individual - whether it’s erased or not. Do you know whether the physician turned off these properties after they accessed the application? A simple physician attestation can confirm they did not change the security properties of the device.
Authenticate registered personal devices upon access. If verifying device hygiene is still not strong enough security for the organization, require an additional verification that the physician is using the device they registered with the security platform. This registration is tied to the hardware code of the device and not simply the phone number. This control avoids the risk of individuals intercepting SMS verification codes or redirecting them to a false device.
I’ve often stated that the healthcare environment is one of the most difficult to secure because of the amount of regulated data, the number of individuals with access to it, and the demands of modern healthcare workflows. But with a renewed focus on physician usability and a modern approach to security, it can be secured while satisfying both organizational requirements for security and privacy, as well as physician demands for access and convenience.