Personal mobile devices such as smart phones and tablet computers are becoming more popular among clinicians as they look for ways to improve their daily delivery of healthcare. These devices have increasingly powerful processors and larger hard drive capacities which can be an asset when interacting with large image data sets. However, there are risks for organizations and individuals who use these devices if they are lost or stolen and there is protected health information (PHI) stored within the device. A little preparation by an organization before a loss occurs can possibly limit the scope of the damage, or at least provide a starting place for recovering from the initial shock of the event.
The Centers for Medicare and Medicaid Services offers extensive information about how to handle the various types of data losses that are considered reportable. Click here to view an incident handling procedure document which provides definitions and descriptions of each type of data beach. Once the possible situations are understood, organizations can begin preparing accordingly.
Depending on your organization’s IT infrastructure and polices, handling the loss or breach of these devices may already be a part of your emergency plan of action. However, if you are a smaller facility, for example a critical access hospital or an outpatient imaging center, there might not be as much technical support for employees with these types of devices. There are some very good resources freely available from the Center for Internet Security which offers step-by-step guidance for configuring the security settings for a wide variety of devices, including those that run iOS or Android operating systems. The security benchmarks are updated regularly as newer versions of software are released.
Another suggestion to make a data breach more manageable is to create an audit of personal devices that interact with your clinical networks and/or PHI. This should include all device serial numbers, operating software level, and what type of PHI, if any, that permanently resides on your device. Optimally, no patient data should be stored on a device, but rather the device is used to access information based on secure, encrypted servers. Be sure to keep this list in a safe location that can accessed by the staff responsible for the organized response.
There are many steps an organization must take to ensure that the devices that interact with PHI are secure. Any preparation that can precede a data breach occurs will take some of the chaos out of the situational response. Collecting basic data about the devices used at your facility are some early, relatively painless steps that can contribute to a successful resolution of the event.