Technology is only as effective as the security measures that support it
What comes to mind when you think about security? Locks, alarms, uniformed guards, or a wireless home monitoring system? When most of us think about security, we tend to consider “physical security” – or the protection of a building and the “stuff” (property and equipment) therein. If you work in health IT, your consideration of security is much broader. IT teams must consider precautions far beyond these countermeasures when trying to secure IT systems and applications.
Have you established policies that define and govern security practices?
IT departments must establish comprehensive security policies to ensure intended outcomes. This is particularly important in healthcare environments, where the security and efficiency of security practices can be critical to patient care and safety.
For instance, workflows that support the use of secure messaging can substantially increase communication efficiency and security—yet they can do quite the opposite if the security practices in place aren’t carefully developed and governed.
Let’s explore ten key policies and procedures that hospitals should consider when implementing a secure messaging application.
Define which users are eligible to access the secure messaging solution, and on what devices. From patient floors to the lab to transport, who uses secure pagers, Wi-Fi phones, smartphones, or other devices?
2. Expense allocation
Who pays for what? Do you allow only hospital-issued devices? Are you a BYOD facility? Are both methods used for different departments or positions? Answers to these questions will help determine who will pay for the hardware, cellular plans, and data, whether that means individuals, departments, or other groups.
3. User roles and responsibilities
Define what users are responsible for regarding usage and maintenance of the technology. Establish your policy for lost devices. Consider details such as what someone should do if a device is lost or forgotten at home. Does your facility provide spares? Can you forward messages to a pager or another device to ensure shift coverage? Is the employee financially responsible for anything if the device is owned by the hospital?
In addition, you will need to decide if there will be penalties for failing to install and use the new secure messaging app. If so, plan in detail what these penalties will be, who is tasked with enforcing them, and how penalties will be applied.
4. Security and feature management
Define how data shared within secure messages will be secured in transit and at rest. This will likely include using mobile device management (MDM) for enforcing passcodes, device encryption, and restrictions.
Also, which systems and applications will end users need to access? Examples may include drug references, directory lookup, on-call information, the EHR, and alerts from clinical systems.
5. IT support
Define what devices, networks, services, and features IT will support and what is out of scope.
6. Consumer application usage
Define whether or not users are allowed to use other consumer messaging apps (iMessage®, WhatsApp®) in any workflows, or whether they will be prohibited.
7. Texting orders
Define whether staff can use secure messaging to text orders.
Create a procedure to prohibit screenshots of secure messages. (Note: Most secure solutions natively prevent copy/paste, but they cannot prevent screenshots without an MDM solution.)
Create a procedure to prohibit the use of keyboard dictation for any messages containing protected health information (PHI.) (Note: If your secure solution uses the native keyboard, this is not a HIPAA-compliant workflow.)
Create a procedure to prevent the ability to attach images or videos that contain PHI from the device’s camera roll. Instead, make it so users must add attachments from the camera within the app when including PHI. Pictures in the camera roll can be unencrypted and unprotected if they aren’t managed by an MDM solution.