Eight-in-10 Latin American (LATAM) hospital leaders and clinicians who participated in Zebra’s latest Healthcare Vision Study confirmed that the pandemic accelerated their use of technology. And the use of electronic medical records (EMR) has been steadily on the rise here in the region for years, in part due to regulations such as GDPR that dictate how sensitive health data can be captured, shared and used. As of 2020, there was around 80% penetration in Brazil, Chile and Colombia. This is great news, as the EMR – when paired with the right mobility solution – makes it easier to deliver quality patient care. Doctors, nurses and other staff can immediately retrieve and review a patient’s medical history at the bedside so they can make the right decisions when trying to diagnose or treat both acute and non-acute issues. The patient doesn’t have to remember every medication they’ve ever taken or the results of past lab work and imaging. All the data is right there on the screen in front of the care team member currently attending to the patient.
Even radiologists, lab technicians, pharmacists and non-clinical staff will see a huge jump in their efficiency, accuracy, productivity and overall impact on patients. They will be able to positively ID patients at every encounter and know exactly how they need to assist. They can retrieve orders quickly, report diagnostic test results back faster, and be confident they’re administering the right medication at the right dose to the right person at the right time via the right mechanism. Nine-in-10 LATAM hospital leaders strongly agree technology helps prevent and reduce medical errors and that real-time data is essential to optimal patient care. Clinicians especially agree with the latter sentiment.
But these positive changes don’t come without some risks, patient privacy among the most notable.
Did you know that most hospital staff in Latin America still use their personal mobile devices at work? Or at least it sure seems that way. Zebra’s vision study showed nearly half of hospital leaders allow employees to bring and use their smartphones and tablets while at work, and 36% more say they’ll give employees the option in the next year.
That means my health records – and yours – are at risk of being exposed every day because hospitals have no way of fully locking down the millions of personal devices being used by healthcare professionals to capture, share and access the data in those records. Work profiles can offer some level of “containment” when personal devices are used to login to business systems, such as the EMR. However, IT teams don’t have any control over who accesses those devices. A spouse, child or friend might have the password to the clinician’s phone, technically enabling them to get into healthcare information systems and access our sensitive data. And not all hospital policies require employees to encrypt or lockdown their personal devices, even when work profiles are used.
This is concerning for three main reasons:
1. Telehealth is on the rise, which means mobile technologies are being used more than ever for patient care. Devices are also being used in more public places. It’s not like the doctor or nurse is always sitting in a room alone having a private conversation with you. If they’re at home, friends and family may be able to look over their shoulders or see what’s on the screen. Even at clinics and hospitals, they may be sitting in a communal space handling these appointments, so the same access risks apply. Or, if they’re in a private space and have the door closed when they’re in the appointment, what happens when they get up to take a break? Do they always lock their device when it’s not actively used?
2. People’s personal health data is more valuable to others than one might realize. Some people believe that cyber criminals targeting healthcare information systems are trying to take them offline to disrupt service – and they could be. However, we know some cyber criminals are simply trying to steal information that could result in a financial payout via blackmail, ransoms, and more. In fact, most hacking incidents that happen in Latin America are targeted at the healthcare sector, with some claiming smartphone applications and unsecure mobile solutions contributing to the issue. In addition, Latin America healthcare systems experienced a 112% increase in ransomware attacks in just three months’ time at the end of 2020. We can’t make it easy for these criminals to succeed. But we are doing just that if we continue to let doctors and nurses and other staff access patient records on their personal devices.
3. Many healthcare systems that tell staff, “You can ‘bring your own device’ (BYOD) to work,” don’t have formal BYOD security measures or privacy policies in place. Some may not have the IT resources to develop and enforce the type of BYOD compliance program that could provide some level of confidence in mobile data security and patient privacy. Therefore, they just trust that workers are protecting patient data. But trust is eroding among the public, especially as more data is captured – and hacked.
Healthcare providers must act immediately to ensure they are not inadvertently compromising patient safety or security for the sake of making healthcare more accessible via technology.
Don’t Let “Laws” Be the Decision Driver
Countries such as Chile have constitutional mandates stating that “only those directly involved with the patient's healthcare may have access to their medical record.” And that’s great to hear. But if we wait until every country has a similar law – and the resources to enforce it – then we’ll be waiting for years. We must do something differently now.
For most healthcare systems, that means committing to clinical mobility solutions that give them total control over devices and the data captured, stored, and shared on them. I realize when you have a lean team and even leaner budgets that it may seem impossible to take on such a big initiative. But what’s the alternative? Continue to put your patients and, therefore, your operational health at risk? If a cyber criminal manages to get into patient records though a doctor’s email account that’s accessed on a personal smartphone, the cost to resecure those systems or pay reparations to the people affected will likely exceed the cost of implementing a clinical mobility solution. At that’s just comparing the cost of a single near-term incident against the cost of a long-term preventative solution.
Why Owning Your Own Devices Is a Smarter Data Security and Patient Privacy Strategy
Corporate-owned clinical mobility solutions can give you total control over the “people, policy and technology” factors that affect data security and patient privacy. That’s what sets them apart from personally owned devices that may or may not be corporate managed in some capacity.
Unlike personal devices, you can dictate what both clinical and non-clinical staff do with their corporate-owned mobile computers – even if they are allowed to take them home.
For example, you’ll be able to define access to healthcare systems based on each device user’s role and use a single sign-on (SSO) solution to enforce it. You’ll also be able to limit what they can and can’t do with devices connected to business email or information systems, including the EMR or those used for telehealth, staff communications, and remote patient monitoring. For example, you can restrict social media or personal apps and even install an Enterprise Browser to control the websites they’re allowed to access on the device. You’ll also be able to lockdown wireless network access so they don’t accidentally connect to an insecure network that could make them – and patient data – vulnerable.
Another benefit of giving all staff corporate-owned devices is that you don’t have to give all staff their own device. For example, clinicians who travel between facilities or support patients in rural, remote or telehealth care programs may need to always keep a corporate-owned device on them. But nurses don’t need to take a mobile device connected to the EMR or other healthcare systems home every day. Neither do porters, laundry staff, pharmacists, lab technicians, radiologists, or administrative staff. Yes, they need secure mobile devices to do their jobs when they’re on the clock, but they may not need to login to email or any business systems when they leave to go home.
In other words, just because every member of your staff has around-the-clock access to healthcare information systems or business system today on their mobile devices doesn’t mean they actually need it.
In fact, if you revoke access on personal devices and require most of your staff to use corporate-owned devices from a shared fleet (only while on the clock), you can reduce…
- your risk of cyberattacks. Limiting how many staff members can access data-rich healthcare systems, and when and where they can access them, means there are fewer opportunities for a bad actor to try to sneak in. Plus, if a device goes missing within the four walls, you may be able to use a Virtual Tether tool or Bluetooth Low Energy technology to locate it before someone finds it and steals it. And if someone tries to walk out of the building with the device, an alarm can sound. So, there are cyber-physical benefits to enterprise-grade clinical mobility solutions that simply aren’t attainable with consumer devices. When the device isn’t in use, it can be locked away in an Intelligent Cabinet.
- patient doubt. They can see that you’re taking measures to protect their sensitive data. When they come into the clinic or hospital and see that staff are using healthcare-grade mobile devices that can only be accessed with a badge swipe, biometrics, or other secure authentication method, that helps build trust.
- your capex and opex obligation. You won’t have to buy, secure or manage as many devices overall to fully equip your workforce with the tools they need to provide quality patient care in a data-driven, digitally enabled healthcare model. That means you and your team can become more technologically dependent without overwhelming IT teams or breaking the bank.
- inefficiencies among front-line workers. Using just enterprise apps, you can reduce distractions and control access to personal apps so clinician’s attention remains on patients.
Quite honestly, IT teams will likely find it easier to take ownership of a full fleet of clinical mobility devices versus trying to manage a BYOD setup. They can develop software and apps once and then deploy in one fell swoop across the entire fleet. They can also manage device, software, and network security updates consistently. They won’t have to keep up with what’s needed for 10 different types of devices on any given day, many of which may be old and out of security support. Plus, standardizing your entire workforce on a single enterprise-grade operating system (OS) makes it possible to automate solution monitoring and management, to include security monitoring and management. For example, if all your workers are using Android mobile computers or tablets from Zebra, and they’re running at least Android™ 11, automatic security patches can be pushed via LifeGuard for Android, which we like to call “your lifetime security guard.”
Put Yourself in Each Patient’s Position
We know patients want more visibility into their treatment plans and more control over their care because those are things we want personally as patients. And there’s no question that digital technologies like the EMR and mobile devices are key enablers of such personalized healthcare. However, if we’re compromising patient privacy and safety – or staff privacy and safety, for that matter – are we really helping anyone?
Don’t assume that just because it’s faster to digitalize healthcare with a BYOD strategy that it’s better for patients or staff. Doctors and nurses don’t want to be the reason patient information is stolen. Yet, we know it’s a minefield for IT to monitor, manage and secure consumer devices – especially when there are so many different OS platforms and versions to account for. Device or application certifications may expire, and there may not be a good way to track and lock down a staff member’s personal device should it be reported missing or stolen. In fact, that report may be delayed, making it even more difficult to mitigate a cyberattack that could compromise sensitive patient data.
My point is this: if someone is telling you that it’s time to get a true clinical mobility solution online and in the hands of your doctors and nurses, you should listen. Don’t start listing reasons why that’s not feasible or necessary right now. It is both feasible and necessary, if only for the sake of data security. (Though there are many other reasons, we could spend all day talking about.) In fact, it’s vital that any staff member who needs to use technology to do their jobs be equipped with a corporate-owned mobile device built for healthcare environment, including administrative and other non-clinical staff.
You have both compliance and patient obligations. If you only transition half of your operation to a corporate-owned mobility solution, you will only reduce the data security risks by 50%. There will be vulnerabilities anytime the other staff members log onto an unsecure consumer device, public network or unauthorized app. You need to be in a position where you can say, “I’ve done everything possible to secure data and protect patient and staff privacy” as technology use becomes more prevalent.
You also need to be in a position where it’s not a heavy lift to lockdown any additional technology platforms that you may sync with the clinical mobility solution in the future. If you add a new workflow app, migrate to a new EMR, add a dynamic communication and collaboration tool, integrate with real-time locationing systems, or connect with digital health monitoring equipment, the data accessed or shared via the mobile device should remain secure.
Consider the Risks versus Rewards
I realize that even if you’re trusting what I say to be true, you’ll likely need to verify. So, let me share a third-party study that I think is particularly telling of the risks of BYOD in healthcare environments. This excerpt really drives two of my points home:
‘One of the primary reasons for health care data breaches is BYOD itself. Hospitals may have little or no control over the security of their employees’ personal mobile devices, which may contain sensitive organizational data such as patient information. Hospitals also do not have any control over a user’s nonwork-related activity on their BYOD device, as ownership lies with the employee. In addition, health care IoT devices such as personal wearables are growing at an exponential rate, and with each device added to the hospital network, the chance of breach increases. Furthermore, given the highly regulated nature of the health care industry, which enforces strict measures to protect patient information, health care organizations face a heavy task of compliance with health data protection laws [17-19]. In short, BYOD security is “one of the biggest headaches for healthcare IT management” .’
If you’re looking for more perspectives on consumer versus enterprise-grade solutions or the benefits of BYOD versus corporate-owned mobility solutions, these might be a good start: