Protecting PHI and EHR on Mobile Devices During the COVID-19 Pandemic

By Gregory Mooney

It seems like years ago, but it’s only been about six months, before the COVID-19 pandemic swept across the world, we were only aware of an outbreak in China’s Wuhan region. China was in the very tough position of having to shut down an entire city of millions of people amidst an outbreak of a new and highly contagious coronavirus. Within a matter of days, China erected two massive field hospitals and triage tents around Wuhan in an attempt to commit and treat thousands of potential COVID-19 (as it would soon be called) patients. Of course, no medical facility on the planet, as we found out, was prepared to take in that many patients at once. 

Within a few months of the Wuhan outbreak, countries were scrambling to prepare for the pandemic by quickly constructing their own field hospitals to take in COVID-19 patients. Medical supplies, hardware, and personnel were hard to come by. As the virus wreaked havoc on societies and economies from China to Italy, New York would soon become the epicenter and still is as of this writing. 

Data Security and Compliance in Field Hospitals and Triage Tents

One problem with setting up field hospitals and triage tents that is often overlooked is the data security issues involved. Doctors and nurses around the world are in the tough predicament of providing care to as many patients as possible during a pandemic. Triage tents have been set up all over to screen and treat patients for COVID-19. Popup networks need to be deployed outside of healthcare facilities to send and receive electronic health records (EHR). At the same time, this has exposed healthcare companies to a myriad of compliance and data security issues. 

Personal healthcare information (PHI) still needs to be handled with care since this type of data is a treasure trove for cybercriminals. Having the ability to secure data at rest and in motion on mobile devices has never been more critical since healthcare companies still need to comply with data protection laws, such as HIPAA and GDPR, regardless of the current circumstances. 

Medical staff during the peak of the pandemic (and hopefully the last wave) found themselves having to be in multiple places at once, treating as many patients in as little time as possible. This meant that mobile devices like smartphones and tablets are now the primary way to send and receive PHI and EHR, especially in triage tents. But that doesn’t eliminate IT and security teams’ concerns over security and compliance. 

How Can IT and Security Teams Adapt?

IT and security teams over the past few months have been working around the clock to provide medical staff the devices needed to register, track, and treat patients. Take one example where a patient has a particular allergy. Medical staff cannot treat a patient without knowing what types of drugs or antibiotics they are allergic to. This is why mobile devices that can quickly receive and send data are on the front lines for saving lives. However, that data needs to be encrypted at rest and in motion to comply with data protection laws like HIPAA and GDPR. 

Managed File Transfer for Mobile Devices

New methods for data security were needed to adapt to the current landscape and the “new normal” during the pandemic. Tools, such as managed file transfer need to include:

• Password protection – The simplest form of authentication. This should be the first line of defense only. 

• End-to-end Encryption – To ensure that the highest standard encryption for sensitive data at rest and in motion, required under GDPR and HIPAA.

• Multi-factor authentication (MFA) – To confirm someone accessing a device is who they say they are beyond the use of passwords.

• Single-sign on (SSO) – In conjunction with MFA, SSO can provide additional security and authentication speed for accessing sensitive data.

• Automation – To increase the speed of data processing to insurance clearinghouses and for IT to meet service level agreements (SLAs). 

• Tamper Evident Logging – The ability to report on who accessed which data and when with safeguards in place to protect from the manipulation of those logs. 

If you are an IT Security professional in the medical field, you will need to implement the highest standard of encryption and authentication. You will also need to back this up with tamper-evident logging in case there is a data breach or audit. But you also need to implement these security features in an environment teeming with mobile devices. With several mobile devices being used per patient bed, having this functionality on these mobile devices is business-critical. 

Selecting the Right MFT Solution

You will need to select a managed file transfer solution that provides all of the above. Gone are the days of do-it-yourself FTP server sprawls. FTP and scripts create needless maintenance issues for IT staff and are frowned on by auditors. An MFT solution on mobile and standard devices that connect to protected servers, on-premise or in the cloud, is the most effective way of keeping PHI and EHR secure and compliant. It’s also going to be an inevitable part of the new normal this pandemic is leaving in its wake.

As an IT and security evangelist, Greg is the voice and face of Progress‘ IT and Security brands. Having worked in information technology and on software development teams, Greg knows all too well the struggles IT teams face on a daily basis, and how today’s blight on cyber security adds to those challenges. That’s why he is passionate about developing content that educates, engages, and incites deeper critical thinking into the issues that affect IT teams today.