Bring your own device: Convenience at a cost

Healthcare providers must balance the desire for work flexibility with creating an environment secure enough to protect sensitive patient data, but many hospitals are behind on security; only 46% have a security strategy regulating the use of mobile devices.

With more hospitals permitting clinicians to access electronic health records (EHRs) on their personal devices privacy and security concerns need to be addressed. The Health Research Institute's report, Old data learns new tricks: Managing patient security and privacy on a new data-sharing playground begins to address some of these issues facing healthcare providers.

Patient health privacy concerns

Implications of privacy and security associated with mobile devices

  • Hospitals need an identity management approach that accounts for mobility across the organization. This includes a centralized, integrated, and comprehensive view of people, roles, and privileges for more accurate and efficient auditing and reporting and for continuous improvement of policies and controls.
  • Stage 2 of the government's "meaningful use" program calls for the encryption of data on end-user devices. Failure to comply starting in 2014 will mean the loss of incentive payments and, in 2015, penalties.
  • Hospitals must continue to communicate privacy and security policies and practices to consumers (See figure), especially as the desire to communicate with patients via email and text gains popularity among clinicians.
  • The costs of using personal devices may outweigh what hospitals save in hardware costs. One study found that supporting employee personal devices can cost companies 33% more.

For more information about preserving patient privacy and security read more here.

PwC

For many people, mobile devices are an extension of themselves, so it’s not surprising that they have found their way into the workplace—including hospitals. Once there, they easily outshine employer-issued desktop computers or laptops, and soon clinicians have switched to their own devices instead. Recognizing the associated risks and admitting that attempts to stop the trend might be futile, many hospitals now permit employees to “bring your own device” (BYOD) to work.

Currently, 85% of hospitals support clinician use of personal devices at work.1 In 2013, expect a heightened focus on security as more employees “bring their own” and more sensitive data is made available on them.

Of the 502 breaches of protected health information reported to the Department of Health and Human Services Office of Civil Rights since September 2009, 71 involved portable electronic devices.2 Loss and theft are the top threats to the information stored on mobile devices. Viruses and other software attacks targeting smart phones and tablets rose by 273% in the first half of 2011 over the first half of 2010.3 Physicians and contractors who work in multiple hospitals might inadvertently spread viruses via their mobile devices among the hospitals they visit. And patients add another wild card: one study revealed that of the 76% of hospitals allowing visitor access to the Internet on their mobile devices, 58% lack password protection for that access, putting hospitals at risk for viruses.4

Hospitals must balance the desire for work flexibility with creating an environment secure enough to protect sensitive patient data. According to a recent PwC’s Health Research Institute survey, half of consumers agree that being able to access electronic health records (EHRs) using a mobile device would help their providers work together more effectively to coordinate their care, and one-third believe that doing so would result in a quicker response to their health questions.5 Also, 61% of consumers are willing to communicate with a clinician via email, and 91% who have done that were satisfied with the experience. Even so, consumers are not enthusiastic about physicians accessing their health information on a personal device, with nearly three-quarters saying they would be concerned about privacy.

Indeed many hospitals are behind on security. Three-quarters of hospitals permit clinicians to access EHRs on their personal devices,6 but PwC’s Global Information Security Survey found that 46% have a security strategy governing the use of mobile devices.7 More than half of IT professionals say they’ve experienced employees circumventing or disengaging security features like passwords and key locks.8 Some hospitals give staff read-only access to sensitive data; others permit interaction with it to enhance work flexibility. The Department of Veterans Affairs’ program to make EHR data user-friendly on portable devices allows providers to access a limited amount of information: demographics, allergies, medications, and lab results. Soon the VA will expand access to more medical applications that require the input of patient data. The VA uses complex pass codes, locks inactive machines, tracks data, has remote wiping, and never stores patient data on the devices.9

Implications

  • Hospitals need an identity management approach that accounts for patient and employee mobility. This includes a centralized, integrated, and comprehensive view of people, roles, and privileges for more accurate and efficient auditing and reporting and for continuous improvement of policies and controls.
  • Stage two of the government’s “meaningful use” program calls for the encryption of data on end-user devices. Starting in 2014, failure to comply will mean the loss of incentive payments and, in 2015, penalties.
  • Hospitals must continue to communicate privacy and security policies and practices to consumers, especially as the desire to communicate with patients via email and text gains popularity among clinicians.
  • The costs of BYOD may outweigh what hospitals save in hardware costs. One study found that supporting employee personal devices can cost companies 33% more.10

Footnotes

1 Brian T. Horowitz, “BYOD Wins Over 85 Percent of Health Care IT Pros: Aruba,” Eweek.com, February 2, 2012; http://www.eweek.com/c/a/Health-Care-IT/BYOD-Wins-Over-85-Percent-of-Health-Care-Aruba-243541/.
2 “Breaches affecting 500 or more individuals,” US Department of Health and Human Services, http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html, accessed October 2012.
3 “Share of mobile malware increases by 273 percent,” G Data, September 13, 2011. http://www.gdatasoftware.com/information/security-labs/news/news-details/article/2342-share-of-mobile-malware-increa.html.
4 Ibid.
5 PwC Health Research Institute Consumer Survey, 2012.
6 David Raths, “The BYOD Revolution.” Healthcare Informatics, February 28, 2012. http://www.healthcare-informatics.com/article/byod-revolution?com_silverpop_iMA_page_visit_%2Farticle%2Fimaging-informatics-and-enterprise=1&com_silverpop_iMA_page_visit_%2Farticle%2Fbyod-revolution=1.
7 PwC Global State of Information Security Survey 2012.
8 Ponemon Institute Research Report: “Global Study on Mobility Risks,” http://www.websense.com/content/ponemon-institute-research-report-2012.aspx.
9 Stephen Spotswood, “Mobile Devices Make EHR Functionality More Portable for VA Clinicians,” U.S. Medicine, July 2012. http://www.usmedicine.com/articles/mobile-devices-make-ehr-functionality-more-portable-for-va-clinicians.html.
10 Rainer Enders, “BYOD Savings May be Lost by Security and Admin Costs,” SC Magazine, May 15, 2012; http://www.scmagazine.com/byod-savings-may-be-lost-by-security-and-admin-costs/article/241477/.

 

© 2012-2013 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.