Not if certain measures are taken. Let’s talk about what those are.
With a growing number of cyberattacks leaving healthcare systems around the world in “critical condition” and struggling to recover, some people have asked whether clinicians’ increased reliance on mobile devices poses additional risks.
To that I say, “It depends.”
Are you doing everything you can to lock down your devices, secure the apps running on those devices, secure the network they’re connected to, and secure the business and information systems those mobile devices and apps are interacting with as clinicians transmit and retrieve data?
If you are, then you have significantly reduced the risk of those devices being a point of vulnerability.
However, if you aren’t proactively managing every device, every piece of software running on that device, every network and system they’re connecting to, then you could absolutely make the argument that more technology introduces more risk.
That said, if your clinicians are using clinical devices loaded with enterprise-grade software – and they’re only connecting to enterprise-grade business systems that were built with the data sensitivities and security needs of healthcare systems in mind, you’re going to have the tools you need to mitigate the risks of becoming a victim.
In other words, data security concerns shouldn’t be a deterrent from using any specific type of technology. You just need to consider two things:
If you are being meticulous in that mobile technology evaluation, then the reward of letting clinicians (and even non-clinical staff) use workforce collaboration apps in healthcare settings far outweighs the risk, which has been minimized.
Care team members must be able to consult with one another from a distance and coordinate patient movements, equipment use, and room turnover with other departments. They must also be able to share and access information without having to put forth much effort, as the focus must remain on patients. So, just commit to choosing a mobile collaboration app that enables those communications in the most secure way possible.
I want you to feel completely comfortable when committing to this type of investment and when making your specific technology selections. That’s why I spoke with some security experts who understand the sensitivities of data and communications in healthcare to get some advice I could pass along to you. Here’s what they collectively shared with me:
Q: In a recent Zebra Healthcare Vision Study, the majority of hospital executives said they plan to give mobile devices to all staff types in the next few years, as there’s consensus that the quality of patient care would improve if nurses, clinicians and non-clinical healthcare workers had collaboration tools and healthcare applications.
However, we know mobile devices are viewed as easy targets by cybercriminals, making it that much more important for hospitals to think about how they will manage security. Are there some high-level best practices they should consider?
A: Any device or network used to capture, store, transmit or access sensitive personal information must be kept secure and comply with local data privacy regulations to protect patient records. In the U.S., this would be the Health Insurance Portability and Accountability Act of 1996, or HIPAA.
Therefore, all technology deployments in hospitals require the implementation and enforcement of strict security policies. Healthcare providers should be creating various layers of defense mechanisms to protect themselves from vulnerabilities and cyberattacks.
Q: What should they do to create those defense layers, even at a high level?
A: First, you must ensure both wired and wireless networks are appropriately secured and actively updating to the latest technologies. This means security patches and software updates must be pushed regularly. As a best practice, hospitals and other healthcare service providers should institute proactive monitoring and intrusion detection systems and perform regular assessments. Vulnerabilities should be corrected as soon as they’re identified.
It’s important to then ensure endpoints such as fixed and mobile devices are receiving the latest security updates provided by firmware and operating system (OS) vendors.
Mobile operating systems such as Android and iOS do not support enterprise multiusers like desktop operating systems such as Windows and Linux do. Yet, most of the healthcare providers using Zebra Android devices as shared devices are allowing staff to login with same passcode on all devices to make it easy to handoff from one person to the next during shifts. Instead, healthcare organizations should adopt single sign-on (SSO) solutions like the one from Imprivata to support multiple users, profiles, and roles.
Remember, securing devices and making the user experience frictionless is as important to employee productivity as it is key to keeping information secure and protected. SSO tools help ensure all software solutions and mobile applications are integrated with identity providers such as Ping or Okta and leverage two-factor authentication and directory services for proper access control and authorization. From there, organizations can then use Near Field Communication (NFC)-powered ID cards to provide frictionless access to those devices with biometrics.
Q: What can be done to protect more casual conversations between healthcare providers? With push-to-talk communication solutions replacing old-school paging systems and instant messaging on the rise among care team members, how can staff ensure patient information isn’t accidentally overheard or seen by others in the vicinity?
A: Due to the social revolution and various free collaboration tools available in the marketplace, healthcare organizations are seeing the need to equip mobile devices used for patient care with enterprise-grade collaboration tools that can address – and reduce – many of these risks.
As you noted, there is a lot of employee collaboration occurring within the hospital network among both clinical and non-clinical staff. They’re sharing medical records and discharge papers, collecting patient data, coordinating facility turnover and schedules, and managing staff rosters and schedules – all of which contains sensitive information.
Most of the collaboration tools available today offer various communication modalities, including telephony with voice extension, push-to-talk (PTT), secure messaging and locating of people and assets. Most healthcare professionals prefer to use secure messaging for patient data and make voice calls in headset mode to keep the conversations private and prevent physical eavesdropping.
With that in mind, it’s important for decision-makers to choose voice collaboration solutions that can integrate with the local PBX in the hospital network and leverage secure RTP protocols. This will keep voice payload encrypted and further protect from eavesdropping. For example, there are communication tools that offer secure transmission of PTT sessions to prevent eavesdropping between the endpoints.
It’s also critical to look at the security of messaging solutions. Choose one that offers various levels of access controls. This will allow you to limit application logins to authorized parties only. Just confirm the messaging solution also encrypts data during transit and when at rest in servers.
Something else to consider is how you will protect all data elements before, during and after the user’s mobile device session. Of course, assigning permissions for device, data or application access based on role entitlement is necessary. A bedside nurse will probably have access to certain apps that other healthcare professionals may not have access to. But when that charge nurse signs off, how do you ensure the next person who picks up that shared mobile device next doesn’t accidentally see those high-permission apps or the previous user’s history? It’s critical you choose communication and collaboration tools that enable you to clear the cache and secure patient data and user credentials after each use.
Q: What else do hospital administrators, IT professionals, and even device users need to think about when introducing collaboration apps into the mix, from a security perspective?
A: They must ensure the network firewalls (IDS) are in place to protect against external threats, and always push the latest security updates to devices to protect from cyberattacks coming from outside those networks. IT teams should also enforce proper access controls based on the roles and profiles of the users and protect identities with SSO or even identity protection systems with two-factor authentication. This will require some validation and careful monitoring over time.
And device users – hospital staff – should think about the information being provided or requested before taking action. Ask yourself, why am I being asked for this data? Is the data relevant to the task at hand? If someone else gets this data, would it be harmful? These questions are intended to raise awareness of one’s environment, especially when the data is being transmitted via electronic devices and applications.
Q: Let’s talk safety of patients and staff. We know communication is key to improving response times when a medical event occurs, whether the patient is at home and EMTs need to respond or they’re in a hospital room and need a nurse or doctor to intervene. What can a collaboration app offer in these situations? How does the experience differ from more traditional dispatch, voice calling or alerting systems?
A: In healthcare, mobile collaboration tools are addressing several different use cases in the context of safety. For example, acute care nurses can have a telephone extension on the mobile device via the app to pick up calls coming into their departments while on the move. Without this, calls about urgent patient needs could be missed, or a nurse who would otherwise be more valuable at the bedside might have to sit by the phone at the nurse’s station in case a call comes in. With enterprise-grade collaboration solutions, specifically, hospitalized patients can push a button on the bed to communicate with nurses for any care-related information. Again, the nurse can interact with that patient while making rounds using the collaboration app.
Healthcare professionals are also using enterprise-level secure messaging, voice communications and user locating features found within these apps to collaborate better across distances, which is key to improving patient care. This is true in hospitals and on the front lines, where EMTs and non-acute care healthcare workers are using two-way radios or PTT solutions to communicate and coordinate care actions.
Mobile devices built for healthcare environments also have duress buttons on the back. When the button is long pressed, then the collaboration app can route voice calls, PTT calls and/or messages to hospital security or emergency services. This is beneficial when a user needs help with aggressively behaved patients. There is also a drop detection feature that could automatically call for help if the app senses a device was dropped and not picked up. It could indicate the user fell and needs assistance.
Healthcare providers are also using telehealth solutions in non-acute care scenarios and offering remote monitoring solutions with software/hardware solutions to track health records like heart rates, blood pressure and blood glucose levels. All of this can be integrated into enterprise collaboration and communication platforms to aid with patient or care team communications and inform decisions.
For more routine, automated workflows, the communications capabilities of workforce collaboration solutions are targeted for the task at hand. For example, users can initiate a PTT session to signal responders for a “code” event, follow-up with text, and then escalate if required.
Fundamentally, the integration of various communication mechanisms such as the telephone, PTT, messaging, alerting, and task management with existing and future backend systems allows for efficient seamless interoperability of the applications, tools and devices necessary for patient care and provider safety. That is, assuming they’re married with a versatile user/role management system protected by secure authentication.
Q: We know workflow automation is a top priority in the next year or two for hospital administrators. So, can you talk about how workforce collaboration tools can support that ambition?
A: Imagine an EMT starting patient admission before arriving at the emergency room. A dynamic group chat could be created with patient details to admit the patient and automatically assign doctors, nurses and other support staff based on who is currently available or has bandwidth to take new patients in the shift. This dynamic group chat/feed will continue to provide updates to everyone in the group until the patient is discharged from the hospital.
Collaboration tools can also be integrated into hospitals systems and nurse calling systems to monitor the health of the patients with real-time metrics and automated alerts. It can use what we call IFTTT logic to automatically dial/text everyone who needs to attend to patients in emergency situations.
What many of our customers like is the ability to use collaboration tools to locate assets like IV pumps, ventilators and other medical equipment in facilities. It improves utilization. Even patient locations can be tracked, which is helpful when it comes time to process patient discharge paperwork.
Q: Are there any other capabilities IT teams and tech buyers should consider when selecting workforce collaboration toolsets and deciding which apps to authorize?
A: Compliance is important, of course, as well as integration with existing infrastructure like Wi-Fi and PBXs. Also think about voice quality. Enterprise-grade tools should provide jitter and noise cancellation capabilities, and support voice roaming via multiple Wi-Fi access points.
There is a lot of good guidance in these posts about the right things to think about and the questions to ask when buying mobile technology for enterprise environments (which includes healthcare given our data security needs):
What questions should you be asking mobile device manufacturers about security in your solicitations? And what are Zebra’s responses to these questions? We ask a mobile security expert to weigh in on both.
Ask the Expert: “Which Mobile Devices are More Secure: Android™ or iOS?”
There are rumors swirling that Android mobile devices aren’t as secure as iOS mobile devices. Let’s get the facts from an enterprise mobility expert and engineering fellow whose primary job is to design secure devices.
With Cyberattacks on the Rise, Security Strategies Must Change. Here’s What You Should Be Doing Now.
Zebra’s Chief Security Officer explains how you can “Do Your Part and #BeCyberSmart” in this age of constant threats.
Also, if you want to learn more about how workforce collaboration tools can help your healthcare teams, you may want to start here.