When faced with a difficult task, the obvious reaction is to look for a shortcut. It's no different in mHealth security, where a health system's employees will look for an easier way to use their device if the logins are too time-consuming or complex or the IT department is too slow to respond.
It's called finding a work-around, and it's usually illegal - and quite possibly dangerous.
It's also quite common. Sal Volpe, an independent physician and moderator of a panel discussion at Sunday's Privacy and Security Symposium at the mHealth Summit, said a recent survey found that 21 percent of healthcare workers use work-arounds every day to make their jobs easier, while another 30 percent said they cut corners "some of the time."
When that happens, however, security protocols are compromised, and the health system is vulnerable to hackers, with protected health information exposed to theft or loss.
So what to do? The challenge, says David Houlding, senior security and privacy researcher for Intel, is to design a security process that's strong enough to foil theft or misuse yet easy enough for employees to use. Multiple log-ins requiring your first pet's name and your first grade teacher or combinations of letters, numbers, punctuation marks and ancient hieroglyphics at least 20 characters long aren't going to work.
"Sometimes we shoot ourselves in the foot," he said.
Thompson Boyd, physician liaison for Hahnemann University Hospital, said front-line clinicians have to be involved in designing the security protocols or the apps from the get-go. They're the ones who are going to be using the devices and/or log-ins, so they're best suited to know what will and won't work. Likewise, he said, it's a good idea to have app developers "job-shadow" doctors and nurse to see how they use their devices.
Glenn Fala, senior director of software development for Penn Medicine, pointed out that some work-arounds are just better ways of doing things, and could be used constructively to improve the process. He noted that when some residents at Penn Med were frustrated with their on-call procedures, they developed their own app to improve the process. On another occasion, when the health system's IT department learned that some physicians were text-messaging each other, the health system installed a secure messaging app for them.
Mark Parkulo, vice chairman of the meaningful use coordinating group at the Mayo Clinic, said administrators there learned that some physicians were taking photographs of patient injuries with their own smartphones to help with analysis and documentation. Clinic administrators jumped in front of this problem by designing an app that can take a photograph and automatically store it in a secure archive.
While work-arounds can present opportunities for mHealth innovation, Parkulo emphasized that they are, first and foremost, examples of "risky behavior" by staff, and as such can lead to job termination. That's why, he said, it's important that administrators "get in front of your culture" to head off problems before they get serious.
Houlding pointed out that mHealth has given healthcare executives the opportunity to do many things better, from saving money to improving clinical outcomes. But it has also opened the door to many new challenges, making it difficult for IT to keep track of all the threats.
The trick, the panelists said, is to make compliance easier than the work-arounds.
"Make it easy to do the right things right," Boyd said, "and make it hard" to do the wrong things.
