Worth the Risk? Bringing Disease into Hospitals via Mobile Devices
Mobile devices have the potential to optimize healthcare delivery by bringing the patient record to the point of service. Unfortunately, most consumer mobile devices do not inherently have the level of security to comply with HIPAA standards. Additionally, mobile devices are breeding grounds for different diseases. While data security is an important issue for all enviroments, biosecurity is unique to the healthcare environment and carries severe consequences for hospitals. This research note will:
- Define the biosecurity issue and why IT should care.
- Explain how other sectors have dealt with the IT security issues.
- Determine a strategy that IT can use as part of mobile device management policy.
Mobile device use in hospitals needs a strong set of controls that can be linked to hospital infectious disease. IT can use this as a basis for the adoption of underlying data security protocols.
Data security has shared principles between industries. Smartphones and tablet computers represent the next wave of technological innovation in healthcare. They have the potential to bring healthcare data to healthcare professionals wherever they’re in need of information. The potential for increased efficiency is exemplified by visualization of past patient images (e.g. x-ray, MRI, CT-scans) and test results while in consultation with patients and colleagues. This anywhere, anytime access comes with a risk: in order to have constant access, security protocols must be relaxed, or the device must be uniquely identified on the network. This is not unlike the challenge that many industries face (see Manage the Invasion of Consumer Technology for more information). The key is to remember the needs of end users:
- Doctors need access to all data, so restricting parts of the records is not an option.
- Nurses need to update records on-the-fly.
Mobile Devices Are Here to Stay
The risk from mobile devices is the storage of highly confidential data on an easy to lose medium. The excitement for these devices comes from their ability to view data and modify the central record on the go. The management of these issues is very similar to the strategy behind many enterprises’ bring your own computer scenarios, and is already part of the unique end-user IDs required to access patient records.
Consumer mobile devices can be locked out of the internal network as a whole, but many portions of the hospital records can be accessed through Web portals. This negates using network or data access as a possible control point for keeping mobile devices out of the hospital. Since most doctors have secondary practices they need to connect with while out of the office, they will bring their mobile devices into the hospital. Pragmatically, these devices will be physically within the facility, and attempting to ban their use will antagonize the end user, but won’t stop their use.
Other Considerations for Mobile Device Policy
The hospital has other reasons to retain some control over mobile devices. One of the most serious from a liability standpoint is health & safety. The rate of hospital-based bacterial infections in Canada has increased ten times in the last ten years (see “Surveillance for Methicillin-Resistant Staphylococcus aureus in Canadian Hospitals”) with similar rates reported in the US and Europe. This trend is disturbing since healthcare providers appear to be a major source of infection in the hospital due in part to limited hand-washing between patient interactions.
While hand washing is the single best way to reduce these infections, there is another source of possible infections that is emerging: the cellphone. In studies performed in the United States, Scotland, France, and the Netherlands, approximately 80% of cellphones tested (iPhone, Blackberry, etc.) contained bacteria capable of causing human infections. Of these infectious bacteria, 20% were from deadly sub-families (MRSA, VRE, etc.). Infection can also be extended to tablet computers (iPad, Samsung Galaxy, etc.). This means that even if doctors wash their hands before seeing each patient, and then use their phone or tablet to view the next patient’s records, they are potentially re-infecting themselves and the patient. The problem of infection control is complicated by hospital visitors and patients who bring their mobile device from outside hospital facilities, adding to the potential sources of contamination.
While this issue is purely in health & safety’s domain, there is the possibility of designing a solution that is pragmatic and addresses the liability of the entire hospital.
Use health & safety issues to define acceptable mobile use policies. It is not possible to ban mobile devices from hospital facilities. The key is to select areas of the hospital in which it would be unwise to have mobile devices. This can be from the biosafety standpoint or a data security standpoint, e.g. areas with a large number of visitors or highly compromised patients. These areas should have resident devices, such as tablets that are hardened with either antibacterial coatings or can be sanitized according to hospital regulations. These areas should also be off-limits to non-resident devices from a network access standpoint. This will drive end users to the resident devices, thereby limiting the number of devices accessing patient data, and the points of contamination.
- IT and health & safety should jointly design policy to minimize resistance to the extra cost and end-user protests.
- The board should be made aware of the liability issues surrounding information security and biosafety concerns, so compliance comes from the top.
- Healthcare workers should be made aware of their liability and how the use of resident devices in high-risk areas reduces this liability.
- Place signs, hand sanitizer, and antibacterial wipes at all network access points to remind all end users of the need to wash hands and regularly wipe down mobile devices.
- Wherever possible, limit the access to hospital resources from outside of the hospital firewall.
Mobile devices can compromise biosecurity and information security; however, they are here to stay in healthcare. Management of biosecurity risks can be used as a carrot and stick for hospital IT security compliance. Design hospital policies that define high risk areas and then use technical and biosaftey barriers to protect them.