Mobile Device Policy: Is Yours Up to Date?

You’re out to dinner and the resident pings you with a question about an imaging study. You whip out your phone to pull up the image. Opening up that image and sending an email reply might be easy, but what about the policy behind using your mobile device?

Is the Wi-Fi connection secure? Is the data encrypted? Did you use your Gmail account or go through the hospital portal? Did that image get stored on your phone? Will the imaging program lock you out after a few minutes of inattention? What happens if you forget your phone at the dinner table?

These are just a few items a mobile policy should address. With tablets and smartphones becoming essential extensions of work life, the policy behind them needs constant monitoring and adjusting, especially since physicians don’t always use mobile devices in the secure way intended.

Radiologists wouldn’t choose to view all their studies on small tablet or phone screens, but image quality is good enough to read the occasional image when on call or off-site. These mobile devices are mostly used when the radiologist is on call or a resident has a question, said David Hirschorn, MD, director of radiology informatics at Staten Island University Hospital.

Who owns the device?

Institutions may not want to issue mobile devices to its staff given the expense, liability and maintenance/staff time involved. The other option is allowing staff to use their own devices (also known as “bring your own device” or BYOD).

Facilities that provide doctors with the devices gain a measure of control, telling them how they can use it. But no matter who owns the device, abiding by the institution’s policy isn’t optional, “but what you’re forced to do, whether you like it or not,” said Hirschorn.

If a doctor will be accessing patient information, the device - even doctor-owned - should be tagged or registered by the facility, said Aaron Tantleff, senior counsel at Foley & Lardner LLP in Chicago. “You don’t allow random devices on your network. The only way they should be allowed to connect that device to the network is to track them while on network,” he said.

A hospital IT or security employee can look for possible breaches by monitoring log-ins. Is someone logging in from a remote place as well as internally, and they’re 500 miles apart? That’s a red flag.

“I can’t state strongly enough to know what devices you have, and systems in place to detect abnormalities,” Tantleff said. If something happens, the facility can investigate what information was accessed and whether it was encrypted. That helps determine the next course of action.

Not all doctors accept the hospital policies for logging in from their mobile device, said Hirschorn. “If it’s their own device, they don’t want the hospital to dictate to them what kinds of protections they need on their device,” he said, though those holding back will ultimately give in because they’ll want access to the images and emails. One compromise is that a physician may choose to accept the terms on only one device, like a tablet instead of their personal phone.

Just like hospitals rely on physicians to ensure that their home computers are working well (if they’ll be logging in from home), the phone is the same way. “These days mobile devices tend to be personal devices,” said Hirschorn.

[[{"type":"media","view_mode":"media_crop","fid":"17281","attributes":{"alt":"","class":"media-image media-image-right","id":"media_crop_6605328729521","media_crop_h":"0","media_crop_image_style":"-1","media_crop_instance":"896","media_crop_rotate":"0","media_crop_scale_h":"0","media_crop_scale_w":"0","media_crop_w":"0","media_crop_x":"0","media_crop_y":"0","style":"float: right; margin: 5px;","title":"David Hirschorn, MD","typeof":"foaf:Image"}}]]That said, some hospitals enforce security policies by giving doctors a list of approved phones, only giving access to the hospital system for models they consider secure, as certain Android versions aren’t as secure as others. “They weren’t trying to force one brand, but they tried to push you toward a minimum security system,” said Hirschorn.

Security

What’s at stake in the electronic medical records? Not just personal health information, but financial information, billing records, social security numbers, addresses and dates of birth. The system needs to be able to implement and secure the appropriate safeguards and to ensure the confidentiality and integrity of personal health information, said Tantleff.

Even hospitals that seem to have well developed policies may have holes in them, said Tantleff. You can’t assume everyone is following the policy, even if it’s bulletproof, because a person may be using a different device.

Unlike laptops, which store large amounts of data on the hard drive, information isn’t usually stored on the phone. In the past, Hirschorn said, doctors downloaded large amounts of data to the hard drive to read it. It was a lot of data to process locally to visualize it.

“The phone is a window to an online database,” he said. “I’m not trying to read an entire CT scan on my phone – only a piece of it. I don’t need a heavy rendering. The phone isn’t up to it anyway. It’s not a big screen.” Given the size, the need to connect to the database, and the liability issues, “there’s nothing gained by downloading and keeping it local. Do not store significant amount of information locally,” he said.

Even if the medical data is stored on a remote server, there’s still cause for concern if a mobile device is stolen or used by someone else, said Tantleff. He said that iOS and Android devices work differently, with Android using a data layer and application layer. The iOS system is linear, with each application having its own data, he said, so the way that applications share data may differ. And there are other ways to access information on the device, including keylogger spy-ware software, which can stealthily track and view mobile data.

Policy safeguards don’t always work the way they’re intended. Hirschorn said that one hospital policy was to wipe out the phone data if an incorrect password was used ten times. He once had his phone in his pocket, and the buttons were pushed inadvertently, causing the hospital to wipe out the phone data. While his phone had no patient data, he said that if he were to store it on the phone, it would be on an SD card, an external memory card. The hospital policy didn’t view the SD card as part of the phone, but rather something plugged into the phone. “The one place I would have put patient data, would have been intact still. In that case, (the safeguard) didn’t work.”

Mobile device management solutions

Mobile device management (MDM) solutions are the systems many companies use to control a network’s data and security configurations. But a lot of them aren’t great, said Tantleff. They may restrict the way you use the phone, limiting features to those already in the program. That’s fine if you like the features, but if it doesn’t enable ones like the address book or notes field, or it uses a different PDF program than you like, you may be tempted to go outside the system. “It’s a virtual compartment,” Tantleff said, which may not let you store anything on the phone but you must still operate within it.

The problem comes when users forward secure and possibly encrypted information from the MDM to their personal email, in order to access or share it. A secure MDM program would restrict access to external email, Tantleff said. The information could be forwarded to a portal, for example, for a patient or physician’s limited access. The other party would need to log in and respond through the portal. But unless the MDM is restricted on that level, it’s possible for personal health information to be breached.

Users who want to store information on their device might email the document or image to themselves. “The hospital won’t know about that,” Tantleff said. If your device is stolen, they can disable the program, but that doesn’t wipe out the information stored elsewhere on the phone.

Creating a Policy

To create or revamp an institution’s mobile device policy, they should first look at the current situation, how devices are being used. The policy should look at what devices it applies to, what sanctions will be, privacy and security, said Lisa W. Clark, partner at Duane Morris LLP in Philadelphia.

Institutions are trying to get their heads around what doctors are doing with their devices, which has been difficult, she said. A policy can mandate that physicians notify the hospital about how they are currently using their mobile device for work, with a sanction policy in place if they don’t.

The assessment and policy creation should include those involved in developing and implementing it, including the top levels of the privacy/security team, IT, and decision makers, since they’ll need to work together, said Tantleff.

Part of the assessment policy is thinking about whether mobile devices should be able to access medical information, said Tantleff. Will you allow emailing? How will they transmit information? Consider whether the devices should be owned by the individual or the facility. Either way, the facility needs the ability to access and monitor them, in case of litigation, to wipe it clean of medical information, or when terminating the person’s employment.  Figure out the potential risks of the proposed mobile policy.

[[{"type":"media","view_mode":"media_crop","fid":"17282","attributes":{"alt":"","class":"media-image media-image-right","id":"media_crop_2584628345738","media_crop_h":"0","media_crop_image_style":"-1","media_crop_instance":"897","media_crop_rotate":"0","media_crop_scale_h":"0","media_crop_scale_w":"0","media_crop_w":"0","media_crop_x":"0","media_crop_y":"0","style":"margin: 5px; float: right;","title":"Aaron Tantleff","typeof":"foaf:Image"}}]]When using an MDM solution, there are additional considerations, including encryption. Will you allow it to transmit medical information only while on the premises? Can people use it remotely? What about using public wi-fi that can be intercepted? “Each of these issues comes up again and again,” Tantleff said.

He recommends against using the device to move information to a different platform, like from one device to another, because doing so can unencrypt the information.

Keep HIPAA in mind when creating the policy. HIPAA applies to covered entities: providers, health plans and billing companies, said Clark, who added that the standards are very broad and need to be tailored to the entity. This includes performing risk audits, determining your weaknesses, management processes, passwords, training, and reporting requirements in case of a breach. In terms of mobile devices, “we’re not seeing a lot of enforcement yet. I don’t think the government has its head around it either,” she said, but that will come.

Violating HIPAA regulations can be costly. “There are significant potential ramifications for not following the (HIPAA) security rule,” says Tantleff, starting with monetary fines.

Part of the mobile device policy should include creating secure passwords and activating the automatic lock on the MDM software, when it’s not in use. “What if you use the device and you walk away?” said Tantleff. The next person then has open access to it. “Even if information is stored virtually, you just handed it over to someone unlocked.” That includes friends and family, if you give them your phone to make a quick call. If the information is unlocked or uses the same password as the phone, the person holding your phone could easily look at private information.

The last part of the policy should include maintenance and implementation/training. “It’s not enough to have a policy, make sure it’s current and up to date,” Tantleff said. And no policy will work unless you educate, train and retrain people to understand it.