Part 1 of a cybersecurity series on iMedicalApps
While it is tempting for a busy physician who takes a short lunch break at a local coffee shop that has free Wi-Fi Internet service to send an unsecured email to his staff to adjust a patient’s medication, that would probably violate the HIPAA Privacy and Security Rules, That in turn would open him, and his employer, up to a large fine and the risk of having the practice’s computer network compromised by hackers.
Using an unsecured wireless network is a hard temptation to resist for physicians and business executives who spend a lot of time in airports, hotel rooms, or at Wi-Fi-equipped cafés; but the risk of malware infection or interception of a message that contains protected health information (PHI) by an unauthorized third party is very real. PHI is specifically regulated by HIPAA rules and those rules mandate that clinicians make a reasonable effort to keep it safe and secure.
If a physician can get onto a Wi-Fi network in a public place, so can anyone. Without taking certain precautions, almost anyone can navigate to your mobile device when it’s on a public Wi-Fi connection, allowing them to open, view, and download information.
There are several ways to avoid the pitfalls of sending PHI from a public Wi-Fi system. Frankly, the best way is never to use a public Wi-Fi. Alternatively, if your healthcare organization has an EMR system that’s accessed through a Citrix app, use that to establish a secure tunnel. By way of example, the Department of Pediatrics at the University of Texas Medical Branch outlines its procedure for accessing its EPIC electronic health records system through a Citrix Receiver app.
In a small medical practice with a limited IT budget, that may not be an option, in which case, using a virtual private network should be considered. The Department of Health and Human Services recommends using a virtual private network or VPN because it encrypts sensitive information that is sent or received. There are several vendors who offer VPN services so there is no need to set up the network from the ground up, which is complicated. The next installment in this series will discuss VPNs and other options for small practices.
As I explain in Protecting Patient Information, VPNs are only part of the solution. Clinicians should have the data on mobile devices themselves encrypted. Installment 3 in this series will go into more detail on encrypting laptops and other mobile devices. There are numerous examples of unencrypted laptops being stolen, resulting in very large fines for the hospital or practice responsible for the PHI. In fact, so many healthcare organizations have been cited for exposing PHI that there is an official web page, called the “Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information” that lists over 1,000 HIPAA violations. This so-called “Wall of Shame” is not a place you want to see your organization’s name.