The CIO s BYOD Toolbox: Top Trends for HIPAA Compliant mhealth Sponsored by: CUSTOM MEDI A
Executive Summary We are all connected. Look around you in any café, shop, or emergency department waiting room, and you ll see the vast majority of people with mobile devices in hand. We are all connected and the prevalence of wireless technologies offers businesses exciting and innovative ways to connect with their customers and clients. The healthcare industry is no exception. As mobile technology has evolved, healthcare organizations are seeing that mobile health, or mhealth, is a tremendous opportunity for healthcare workers to communicate and share information with co-workers, administrators, payors, and patients. But with great opportunity comes great responsibility. And the stringent demands of the Health Insurance Portability and Accountability Act (HIPAA), particularly the final HIPAA Omnibus Rule, means that providers must go to great lengths to ensure the protection of private patient health information (PHI). The emerging practice of bring your own device (BYOD), which is rapidly growing, allows employees to use their own mobile devices for work purposes. More and more, healthcare workers are relying on their personal smart phones, tablets and other mobile devices to help them do their jobs. While mhealth will never replace the human element in healthcare, it does provide a valuable toolset to help healthcare organizations streamline processes, thereby lowering costs and improving the quality of patient care. We are all connected. And these connections, which now often merge the professional and personal, bring new and varied challenges to keeping both patients and their health data safe and secure. When it comes to details in healthcare, there is no replacing person to person communication. We are all connected. And these connections, which now often merge the professional and personal, bring new and varied challenges to keeping both patients and their health data safe and secure. When it comes to details in healthcare, there is no replacing person-to-person communication. But as we move towards a more mobile landscape, it is possible to support mhealth interactions through the adoption of safe, secure and reliable technologies. 2
The Prevalence of Mobile Technologies and HIPAA Compliance 1 Million Mobile Physicians Today, there are nearly one million physicians in the U.S. and these physicians often move between offices, clinics, departments and other facilities in, around, and between affiliated (and even, at times, non-affiliated) hospitals. With the number of multisite health care delivery organizations growing, nearly 10% over the past decade, this number can only be expected to rise. 1 Their ability to provide quality care to patients requires constant and easy access to clinical information, as well as the ability to effectively and efficiently communicate with colleagues and care team members. 2 This need has only grown with the advent of accountable care organizations (ACOs) and their distributed networks of providers. As such, healthcare organizations are looking for flexible and secure solutions to help clinicians stay connected in order to gain quick access to the data they need. One solution may be no farther than your average resident s pocket. A recent survey by Healthcare Information and Management Systems Society (HIMSS) reported that 83% of respondents indicated that physicians at their organization were using mobile technology to facilitate some patient care and nearly 60% of respondents said the benefit of mobile technology was the ability to view and interact with data from a remote location. 3 But with new stats suggesting that a whopping 98% of physicians own and regularly use personal smart phones at work, it s possible that many healthcare workers are using personal devices to communicate about PHI without proper regulation. 4 But with the right BYOD policy in place, those personal devices could be leveraged to allow clinicians to communicate in a more agile manner, increasing overall efficiency and productivity on the hospital floor and beyond. 83% 60% 98% own and regularly use personal smart phones at work using mobile technology to facilitate patient care found benefit in ability to view and interact with data remotely 3
But such BYOD use requires careful governance, with HIPAA compliance being a main driving force for the intense spotlight on mhealth security. While many industries now allow employees to use their own wireless devices for work purposes, the demands of HIPAA regulations and healthcare s unique needs regarding patient data have made some organizations hesitant to follow suit. Studies continue to show that BYOD has the power to improve physician morale, decrease costs, increase productivity and improve patient care. 5 But to find this kind of success, healthcare organizations need to understand the risks involved and to put proper policies in place that will prevent and contain any potential security breaches. The Security Risks of BYOD There are several types of security risks that may compromise HIPAA compliance when hospital employees start using their own devices to transmit patient information. And each should be considered when developing your organization s BYOD policy. Studies continue to show that BYOD has the power to improve physician morale, decrease costs, increase productivity and improve patient care. 5 4
The Top 4 BYOD Security Risks 1. Lost devices. A majority of data breaches reported to the Department of Health and Human Services have been due to the theft or loss of a mobile device or laptop. 6 According to an Ernst and Young research report, 22% of the total number mobile devices produced will be lost or stolen over their lifetime, with 50% never to be recovered. 7 Handheld devices, tablets, and smart phones are all too easy to lose. What happens when one of your employees leaves a device at a restaurant? Or in the hospital bathroom? Anyone might pick it up and gain access to protected health information. 2. Password protection for clinician devices. Many physicians may not password protect their personal devices or the different applications used therein. Or, alternatively, they may choose simple passwords that are easy to crack. 3. Encryption of only certain data elements. Even a locked phone with encrypted data may not be completely secure. Some smartphones deliver snippets of texts or emails to the screen even when it is locked down and that information is easy for any passers-by to see. Furthermore, personal devices may contain a variety of applications that may be able to inadvertently collect private data from your hospital network on the back end. # of mobile devices lost or stolen during their lifetime 22% 50% of these are never recovered 4. Mixing personal and PHI data. BYOD blurs the line of what data is professional and what data is personal. Everyone has a story about a text sent in error. What happens when a physician accidentally sends PHI intended for a colleague to his Mom? Or accidentally sets his device to send all photos, even those of a recent post-op examination, to his personal icloud account? Both personal and professional data need to co-exist on the device but in such a way that PHI is always protected. 5
Key Considerations and Rules for HIPAA Compliance with BYOD In 2014, the Ponemon Institute s Fourth Annual Benchmark Study on Patient Privacy and Data Security found that BYOD usage in the healthcare space continues to rise. In fact, 88% of respondents stated employees at their organization were permitted to access the network using a personal mobile device. Yet, despite that policy, more than half of the respondents stated that they were not confident that said access was secure. 8 88% >50% not confident that access was secure Percentage of employees permitted to access the network using a personal mobile device Additionally, a recent PwC research report found that both physicians and payers identified security and privacy as the leading barriers to the use of mhealth, with around only half of the physicians surveyed believing the mobile Internet technologies at their workplace are secure. 9 In an industry where many organizations don t have strict policies in place governing company-issued mobile device use, it may be hard to know where to start when it comes to BYOD. 10 But with the HIPAA HITECH Omnibus final rule now in place, it s more important than ever to create and enforce clear programs for use. First and foremost, mobile devices are no longer immune to breach notification requirements. If a breach occurs on a mobile device, it needs to be handled in the same manner as one that occurs on any desktop computer. Second, a cloud service, or any subcontracted organization that stores or processes PHI, needs to be part of the chain 6
of compliance. Since most mobile devices take input and store information in cloud services, the onus is on healthcare organizations to direct how, where, when and why PHI is uploaded and downloaded to these associated entities. 11 Mobile device security though, starts at the user level. Healthcare organizations must set similar policies that businesses across a number of industries have already set. The importance of encryption, device lock down, and requirement of passwords are among a few important considerations. With the prevalence of third-party application use on personal devices, the monitoring and security assessment of vulnerabilities must be addressed through use of mobile anti-virus programs, internal management of mobile apps, continual assessment of mobile apps to uncover greater security risks, and many other important considerations 12. If they don t, the costs and related HIPAA penalties may be too great to bear. Healthcare organizations must set similar policies that businesses across a number of industries have already set. The importance of encryption, device lock down, and requirement of passwords are among a few important considerations. The Future of BYOD and mhealth: Supporting the Need for Clinical and Patient Collaboration The mobile revolution will not be denied. Physicians and patients alike want the ability to use their personal mobile devices to communicate with healthcare organizations and share protected health data. And it s possible to do so and remain HIPAA compliant. You just need the right policies and products in place. To start, you can ensure HIPAA compliance by adopting a cloud-based communications system one that securely encrypts both calls and data, whether in-transit or at-rest. This enables hospital workers to both send and receive PHI safely and efficiently as well as protect the privacy of physicians and patients as they do so. RingCentral s HIPAA Compliant cloud phone system for healthcare delivers just that kind of solution. It offers robust call routing and handling so providers can take and make calls from their business line via their personal mobile devices for secure BYOD usage. As mhealth technologies evolve, healthcare organizations 7
need to support mobile applications that facilitate real-time access to patient data. They will need to push information, through use of messaging and mobile alerts, to consulting physicians. But communication cannot, will not, and should not be limited to devices. Healthcare organizations should embrace apps and new technologies that also facilitate the patient-physician interaction. As wearable technologies progress, your organization may have to support wearable devices that communicate PHI as well as alert physicians to potential complications. Physicians and patients alike want the ability to use their personal mobile devices to communicate with healthcare organizations and share protected health data. And it s possible to do so and remain HIPAA compliant. You just need the right policies and products in place. Looking to the future, hospitals and other healthcare organizations should also be preparing for on-demand medicine capabilities. As more ACOs take root across the industry, physicians need to be able to participate in case discussions with referring doctors and organizations as well as distributed care team members. But patients also desire secure video chat offerings. Worried parents can talk to a nurse or pediatrician during a baby s late night fever. Mental health patients can open up to providers from the comforts of home. And patients with chronic illnesses can regularly check in with providers without the inconvenience of a monthly in-person appointment (or simply waiting until their health deteriorates). And payers are prepared to answer the bell. A recent survey revealed that 60% of payers surveyed have either already started paying for video consultations or plan to in the next few years. Healthcare organizations should embrace apps and new technologies that also facilitate the patient-physician interaction. As an example, RingCentral Meetings allow both physicians and patients to connect online easily and securely with real-time screen and file sharing when meeting face to face is not an option. Physicians can impart real-time video communication as well as media collaboration on items like X-Rays, lab results and discharge notes. And patients 8
can confer with care providers with comfort and ease. Taken together, promoting ondemand services improves patient satisfaction and care and also results in significant cost savings for healthcare organizations. 14 60% of patients have either started paying for video consultation or plan to in the next few years The Future is Mobile We are all connected. And the future of healthcare, both in terms of patient-to-physician and physician-to-physician communication, has gone mobile. While person-to-person communication will never be completely replaced, mhealth, including BYOD, is becoming increasingly important. Patients expect it and more importantly, quality care demands it. Providers must facilitate the secure exchange of information while providing transparency of communication between key care providers and their patients or risk being left behind. Your organization can facilitate value-based care through mobile communications. But it requires the development and acquisition of tested, reliable solutions that facilitate your connections and your organization s ultimate goals, rather than impede them. We are all connected. And your choice of technologies can ensure you and your patients stay securely, reliably connected no matter what comes next. 9
About RingCentral The RingCentral cloud communications system enables professionals to work the way they want in today s mobile, distributed and always connected world. Delivered on a state-of-the-art cloud infrastructure, RingCentral helps more than 320,000 organizations provide seamless voice, text, fax, audio conferencing and web meetings along with integration into their favorite SaaS applications. RingCentral combines powerful, secure, and flexible enterprise-class solutions that support healthcare professionals in hospitals, clinics, medical offices, and in-home care environments. Learn more Discover more about RingCentral s HIPAA-compliant, all-inclusive cloud phone system for healthcare. Visit RingCentral.com Sponsored by: CUSTOM MEDIA 10
References 1 Porter, M.E. and Lee, T.H. (2013). The strategy that will fix health care. Harvard Business Review. https://hbr.org/2013/10/the-strategy-that-will-fix-health-care/ 2 Leventhal, R. (2014). Top ten tech trends: Getting the green light on clinician-to-clinician texting. Healthcare Informatics. http://www.healthcare-informatics.com/article/top-ten-tech-trendsgetting-green-light-clinician-clinician-texting 3 HIMSS Analytics. (2014). Third Annual HIMSS Analytics Mobile Survey. http://www.himssanalytics.org/ research/assetdetail.aspx?pubid=82144&tid=127 4 Spyglass Consulting Group. (2014). Point of care communications for physicians 2014. http://www.spyglass-consulting.com/wp_pcomm_physician_2014.html 5 Perna, G. (2014). Q&A: Implementing an effective BYOD protocol (Part 1). Healthcare Informatics. http://www.healthcare-informatics.com/article/qa-implementing-effective-byod-protocol-part-1 6 Deloitte Center for Health Solutions. (2012). mhealth in an mworld: How mobile technology is transforming health care. http://www2.deloitte.com/content/dam/deloitte/us/documents/ life-sciences-health-care/us-lhsc-mhealth-in-an-mworld-103014.pdf 7 Ernst and Young. (2013). Bring your own device: Security and risk considerations for your mobile device program. http://www.ey.com/publication/vwluassets/ey_-_ 8 Raths, D. (2014). Survey: Data breaches decline slightly, but threat remains high. Healthcare Informatics. http://www.healthcare-informatics.com/article/survey-data-breaches-decline-slightly-threatremains-high 9 PwC. (2014). Emerging mhealth: Paths for Growth. http://www.pwc.com/en_gx/gx/healthcare/ mhealth/assets/pwc-emerging-mhealth-full.pdf 10 Raths, D. (2014). Survey: Data breaches decline slightly, but threat remains high. Healthcare Informatics. http://www.healthcare-informatics.com/article/survey-data-breaches-decline-slightly-threat-remains-high 11 Hagland, M. (2013). Mobility and malpractice: One legal expert looks at the implications of mhealth on legal processes. Healthcare Informatics. http://www.healthcare-informatics.com/article/mobility-andmalpractice-one-legal-expert-looks-implications-mhealth-legal-processes 12 Ernst and Young. (2013). Bring your own device: Security and risk considerations for your mobile device program. http://www.ey.com/publication/vwluassets/ey_-_bring_your_own_device:_mobile _security_and_risk/$file/bring_your_own_device.pdf 13 PwC. (2014). Emerging mhealth: Paths for Growth. http://www.pwc.com/en_gx/gx/healthcare/ mhealth/assets/pwc-emerging-mhealth-full.pdf 14 American Telemedicine Association. (2013). State Medicaid best practice: Remote patient monitoring and home video visits. http://www.americantelemed.org/docs/default-source/policy/state-medicaidbest-practice---remote-patient-monitoring-and-home-video-visits.pdf?sfvrsn=6 11