By Denis O’Shea, founder of Mobile Mentor
I was recently at a dinner party with a physician friend. Partway through the meal, he received a text message regarding a pressing patient situation. He briefly excused himself to address the text. When he returned, I jokingly inquired if he was using a HIPAA compliant secure app to communicate with his team. He laughed and showed me his device screen which had a long text conversation on iMessage.
There are two major issues with how this scenario played out. The first and foremost being the data was relayed on an unsecure app on an unmanaged personal device. Cybercriminals are becoming more sophisticated each day and they certainly make no exception to hacking data that is supposed to be HIPAA compliant.
The second issue is that the physician didn’t seem to think this was a big deal. With physicians so busy all over the country, it makes you wonder how much non-HIPAA compliant healthcare data is being transmitted every day.
There is often a fundamental break in the communication between IT leaders and physicians. Many hospitals and clinics have done the leg work to put secure clinical communications apps in place, but often the solutions simply aren’t being adopted, and iMessage or WhatsApp prevails.
We often see two risky scenarios play out with physicians. Should these scenarios be explained clearly and consistently by IT leaders, physicians would likely take note and subsequently, take further action to secure patient data.
The first, very common scenario we see is that somebody (in this case a physician) may have the same Apple ID for their personal device and shared family iPad or iMac. Both devices sync to the same iMessage account – which is used for sending or receiving confidential medical data. Conversations a physician may be having with staff about a patient are appearing not only on the physician’s phone but also on the family iPad.
Most physicians use a personal device for both professional and personal communication. Who can blame them? No one likes carting around multiple devices. But in many cases, these personal devices are not managed and not secured.
Consequently, the larger problem arrives when they go to the app store, download a public app like Teams or Outlook using their personal Apple ID. Now they have anunmanaged app on an unmanaged device that may or may not have malware or spyware. Of course, the next thing doctors do is sign-in with their sacred work credentials. If that password gets compromised, the healthcare provider is vulnerable to a breach.
It’s important that we, as IT professionals, recognize personal devices as work devices. More so, it is imperative that we communicate the risks of work use on personal devices clearly to Physicians.
In order to set your group up for success, consider following the below steps when developing a plan to secure your clinical workers’ devices.
- Create a policy that balances security and privacy.
Securing data is critical to the organization at large but the end-users’ focus is typically centered around privacy when it comes to device management. A carefully crafted policy that addresses security and privacy as 2 sides of the same coin will set you on the right path.
- Implement the right technology
Research and select the Modern Device Management technology that best meets your organization’s needs. Ensure whatever tool you select is able to manage work-related apps like Outlook and Teams, without having to manage the employee’s device.
- Communicate, communicate, communicate
Communication is key when bringing about any kind of major change. Constant transparency into your progress with your device management journey will put your end-user’s mind at ease and set the expectation to anticipate change.
- Set up a support infrastructure
As with any rollout, your end-users will need support when things don’t go to plan. With clinical workers their support needs can be especially critical and time sensitive. Patient safety demands the vast majority of their attention so when they have a need for support, they will expect clinical-grade response times and support SLAs.
If physicians are given secure solutions that are not cumbersome to use and don’t invade on their personal privacy, we find that they are very receptive. In the situation with my physician friend at the dinner party, if he had an awareness of the risk, and the option of using a secure app, I’m certain he would have chosen the secure app rather than iMessage.
Patients have entrusted their most personal information to their providers. It’s time that IT leaders and Physicians band together to ensure that trust is not broken.
Denis O’Shea is founder of Mobile Mentor, a global leader in the endpoint ecosystem, helping clients to navigate the right balance between security and employee experience. More information is available at www.mobile-mentor.com.