Part 2 of a cybersecurity series
In part one of this series, I discussed the risks involved when a clinician uses a public Wi-Fi connection to send sensitive patient information to others. Many practitioners have a safer option if they work for a healthcare system that uses a mobile app like Citrix Receiver. That provides a secure tunnel that lets clinicians send information from a smartphone, tablet, or laptop to an electronic health record system located elsewhere. But not everyone has access to Citrix applications.
In smaller practices with limited finances, other options to consider are a standalone virtual private network (VPN)1, an encrypted cellular service, and Google’s BAA covered Gmail, Drive, and Docs. A VPN will encrypt data as it is sent across a Wi-Fi connection, but setting up one of these network can be quite complicated for someone without advanced training in information technology. A much less painful option is using a commercially available VPN vendor. PCWorld and Lifehacker both offer recommendations on viable candidates.
Linking one’s smartphone to a laptop is another way to make the transmission of protected health data (PHI) more secure, assuming the smartphone is encrypted. For example, on Apple’s iPhone, it is possible to set up a personal hotspot that tethers a laptop or tablet to the phone’s wireless Internet service. Of course, it is also important to encrypt the phone itself with a passcode and to update its operating system regularly.
Google has also set up several of its apps to make transmitting PHI more secure on the Internet. The company offers a subset of core services that are HIPAA compliant, including Gmail, Google Drive (including Docs, Sheets, Slides, and Forms), Google Calendar, Google Sites, and Google Apps Vault. Users are required to sign a business associate agreement with Google and follow a set of requirements spelled out by the company on its website2. The HIPAA compliant versions of these apps are only available through Google’s “Apps for Work” subscription service, which involves a nominal fee. In the future we’ll go into the details of Google’s HIPAA offerings for smaller medical practices.