The proliferation of mobile devices in healthcare, from smartphones and tablets to the clinical devices themselves, is forcing healthcare executives to take a new approach to privacy and security.
Gone is the "security cop" approach, in which staff and employees are simply told what they can and can't use and do. Instead, we're seeing a "business enablement" approach, in which privacy and security concerns are woven into the workflow.
The reasoning behind this, says Jim Doggett, Kaiser Permanente's senior vice president, chief security officer and chief technology risk officer, is that cybercrime is an industry now, and the old method of "do it my way or else" won't work any more. With new ways of delivering healthcare must come new ways of protecting it.
"We're a bit out of alignment," Doggett said during a recent presentation at the HIMSS Media Privacy and Security Forum. "We're still solving yesterday's problems when we need to be solving today's and tomorrow's problems."
To wit: Doggett said he wanted to determine how to best implement a new policy on privacy and security. He tailed a physician during a normal workday, and watched the man log on and off and back onto various systems "maybe 50 times." Doggett said he realized the doctor wasn't going to adopt any new privacy and security rule that added to his workload, and would in fact welcome something that improved it.
The answer: Don't just establish a policy and enforce it; work with doctors, nurses and other staff members to see how it can best be implemented.
That was the thinking prevalent during the first day of the two-day forum, being held in San Diego. Healthcare is changing so much as it is, so privacy and security methods have to be woven into those changes. If mHealth and telemedicine are going to improve healthcare delivery over the coming years, develop privacy and security platforms that enhance those methods, rather than pushing people away or hindering adoption.
The takeaway for mHealth enthusiasts during the first day of the conference is that privacy and security has to become more fluid – rigid rules just won't work any more – and mindful of the fact that sensitive data is moving in and out of the enterprise in more ways and on more devices.
Mobile devices and social media "are really big areas of compliance concern," said Iliana L. Peters, senior advisor for HIPAA compliance and enforcement with the U.S. Health and Human Services Department's Office for Civil Rights. She said too many healthcare providers aren't taking this seriously. "They neglect to acknowledge where their data is or the risk to that data."
Encryption of data has to become the norm, rather than a suggested policy.
"If your entity is not encrypting, it should be," she said.
And doctors and nurses have to be made to understand that protection of sensitive data is "a part of efficient healthcare." Michael Allred, Intermountain Healthcare's information security consultant and identity and access team manager, said clinicians are the toughest to educate and may be frustrated with privacy and security efforts, but one breach could cost them and their institution much in terms of reputation and money.
