Hospitals struggle with BYOD, want clarity from federal regulators

By Neil Versel
Share

BYODWith the bring-your-own-device trend showing no signs of abating and mixed messages coming from government regulators, healthcare organizations are struggling mightily with how to secure patient data on tablets, smartphones, laptops and even wireless medical devices.

Different federal agencies see security through different prisms. The Drug Enforcement Agency, part of the Department of Justice, regulates controlled substances, and requires two-factor authentication for physicians to write electronic prescriptions of Schedule II narcotics. Instead of using what's referred to as a "hard token" for the second factor, Dr. John Halamka, CIO at Beth Israel Deaconess Medical Center in Boston has suggested to the Food and Drug Administration, which regulates medications themselves, the use of a technology that sends a text message to a doctor's "known cellphone" with a code that expires in 10 minutes.

"The FDA said you need not a BlackBerry but a BarackBerry," Halamka said Wednesday in Boston at the 4th annual World Congress Leadership Summit on mHealth. He was referring to the highly secured, heavy and expensive smartphone that President Obama and others with high-level intelligence clearance must use for communicating classified information. It's a product made by defense contractor General Dynamics that is capable of issuing missile launch codes, Halamka said. That's not exactly practical for healthcare.

Healthcare entities generally use HIPAA privacy and security rules developed at the Department of Health and Human Services, but there is a lot of overlap between agencies.

Deven McGraw, director of the Health Privacy Project at the Washington-based Center for Democracy and Technology called encryption "your get-out-of-jail-free card should there be a breach," as far as HIPAA is concerned. However, if the technology is too cumbersome, users will find dangerous workarounds such as leaving passwords on sticky notes on the front of shared workstations.

On the consumer side, McGraw said the U.S. Commerce Department's National Telecommunications and Information Administration is now convening stakeholders, as the Federal Trade Commission has called for, to help reach consensus on mobile data protection standards, not specifically for healthcare. Along the same lines, the Center for Democracy and Technology this month published best practices for mobile app development.

"It's the intersection of these [institutional and consumer worlds] that is being driven by an increasingly engaged e-patient base," McGraw said. Stage 2 of the "meaningful use" EHR incentive program, set to begin in 2014, also will promote consumer engagement, based on draft requirements published earlier this year that should be finalized any day now.

"I think it would be good if the regulators would provide some clarity on that," McGraw said. The silence that the FDA, Federal Communications Commission and others have had for more than a year now on possible regulation of mobile apps as medical devices "isn't helpful," she added.

Dr. Joshua Lee, newly appointed CIO at University of Southern California Health, said healthcare organizations need to take "intermediate steps" to manage and secure mobile devices while various agencies work out their differences on health information privacy rules and regulation of mobile apps.

Under HIPAA, organizations are required to know who users are and manage their access. Lee, who until a month ago was CMIO at the University of California-San Diego Health System before moving up to Los Angeles, uses Active Directory, a Windows Server feature that allows network administrators to authenticate and manage users. As residents and others leave the organization, their credentials get deleted.

Portals can help "do the heavy lifting of authentication for you," Lee recommended. He uses Citrix and USC, just as he did at UCSD. He also is a fan of native smartphone and tablet apps for access to electronic health records, in part because apps necessarily limit the amount of information delivered to the mobile device and probably won't store data locally. "The complexity of what you get on a native application nowhere near matches what you can get on a desktop computer," Lee said, but noted that this will change as mobile technology evolves.

One thing that is near certain is that some portable devices will disappear. Halamka discussed a recent theft of a physician's personal laptop at Beth Israel Deaconess, publicly disclosed last week, that contained information on about 3,900 patients. The computer contained a tracking device, but the machine has not been turned on to activate the tracker; the laptop most likely has gone to a "chop shop," where the hard drive was wiped clean so it could be illegally resold, so the risk to patients probably is small, according to Halamka.

Still, BIDMC is going ahead with a previously planned two-phase effort first to encrypt all laptops and tablets owned by the institution in the next 90 days, then to encrypt all personal mobile devices that employees and medical staff used for business purposes.

"We're going to learn a lot over the next 90 days," according to Halamka. What happens, for example, when someone brings in an old laptop running Windows NT, an operating system that does not support encryption? "It's your lucky day," Halamka said. "We're going to buy you a new laptop."

The second phase will present even more challenges, because tablets and smartphones running the open-source Android mobile operating system and older computers with Windows XP or the Snow Leopard version of Mac OS might require extra attention, Halamka said.

To Halamka, it just shows how BYOD at an academic medical center is pretty much a nightmare without proper institutional controls. "It would be like Toyota building a plant and then allowing people to come in and build any car they want," he said.