[BreachExchange] Should Staff Ever Use Personal Devices to Access Patient Data?

Destry Winant destry at riskbasedsecurity.com
Wed Aug 15 00:21:08 EDT 2018


https://www.databreachtoday.com/should-staff-ever-use-personal-devices-to-access-patient-data-a-11346

Is it ever acceptable to allow healthcare workers to use their
personal smartphones to access patient information? How about for
delivering patient care during a network outage?

These are some of the key questions emerging from a recent controversy
involving leaders at the Oklahoma Department of Veterans Affairs who
reportedly made the decision to temporarily allow employees at two VA
healthcare facilities in the state to use their personal smartphones
to access patients records for several hours during a network outage
in July.

Three Oklahoma state representatives have demanded in a recent letter
to Oklahoma Gov. Mary Fallin that she fire two state VA officials -
executive director Doug Elliott and clinical compliance director Tina
Williams, alleging that their decision to allow the VA employees
access to patient records using personal devices violates HIPAA and
other privacyregulations.

A spokesman for Fallin's office tells Information Security Media Group
that the state's CISO, Mark Gower, looked into the matter, and in a
resulting report determined the actions by the VA did not result in
any violations of state or federal privacy regulations.

Plus, as governor, Fallin has no authority to fire the VA leaders -
those matters fall under the authority of the state's VA commission,
the governor's spokesman adds.

No Records Access, No Meds

The state's VA commission has no plans to fire the VA leaders and has
no immediate plans to set up a special meeting to even discuss the
matter, an Oklahoma VA department spokesman tells ISMG.

Approximately 50 VA clinicians were granted temporary access via their
personal mobile devices to the records of patients in two Oklahoma VA
facilities during the six-hour outage, he says.

"Access was given only so those patients could get their medications.
Otherwise, these patients wouldn't have been able to get their
medications," he says. There are a total of about 500 patients at the
two VA facilities that were impacted by the situation, and only some
of those patients needed their medications during the outage, he says.

Good or Bad Idea?

HIPAA violation or not, is it ever a good idea to allow healthcare
employees to use their personal smartphones to access patient records?
What about during a crisis situation?

"These are really tricky issues," says privacy attorney Kirk Nahra of
the law firm Wiley Rein. "You have to think about two paths on these
questions - how is this situation [involving employee smartphone
access to patient records] handled normally, and what - if anything -
can be done differently in an emergency situation? Both questions
essentially involve thorough thinking as part of an overall risk
assessment process."

Companies of all kinds - in healthcare and otherwise - have to figure
out how to manage the fact that data can be transmitted to mobile
devices, whether personal or employer based, Nahra says. "What a
company allows and what it does not allow - and how it 'prevents' what
it doesn't allow - is a critical component of any risk assessment
today."

Companies have to develop a strategy that balances appropriate risks
as well as business needs, the attorney adds.

Special Circumstances

Providing healthcare workers with access to patient records via a
personally owned device is acceptable "under the right conditions,"
says Keith Fricke, principal consultant at tw-Security.

"Specifically, the device must be properly secured with mobile device
management software. This becomes a case of balancing security and
privacy with the needs of delivering patient care," he says. "Risk
exists with permitting any mobile devices access to sensitive
information, regardless of who owns the device, if it is not properly
secured. Some MDM solutions offer a way to compartmentalize access to
company information, separating it from personal data on a personally
owned device."

Mac McMillan, CEO of security consultancy CynergisTek, agrees that the
circumstances around providing employees special access to patient
records is an important consideration.

"If it is the only way to ensure appropriate timely care for patients,
I would hope that administrators and caregivers would always err on
the side of taking care of the patient first and privacy second," he
says. "The real question here is whether this was operationally
necessary or were there other options less risky. Secondly, what level
of disaster planninghad they done? Let's face it; it's always easier
to arm chair quarterback after the fact.

"In cybersecurity we manage risk. We don't ever eliminate it entirely;
we manage it. In this case, did the risk to the patient outweigh the
potential risk to the confidentiality of their data? What I haven't
heard in this discussion is any proof that any information was
compromised, but what I think we did hear was our veterans were cared
for."

Report Findings

The Aug. 9 report issued by Oklahoma state CISO Gower's office in
response to the state reps' letter to Fallin demanding the VA firings
says his office's investigation "does not show there to be any
identified issues with violations of the HIPAA privacy or security
Rules, or the State of Oklahoma Breach Notification Act."

That determination was made based on several factors, the report notes.

"Access to the electronic medical records from mobile devices was
authorized on a limited basis to address an emergency need, for the
treatment of patients in care," the report says. "This access was
performed by vetted and authorized [VA] staff who have access to
electronic protected health information and personally identifiable
information in their normal course of duties and are required to
maintain compliance to [VA] HIPAA privacy and security training,
policies and procedures."

Additionally, the EMR was accessed by a limited number of authorized
VA staff "through the use of mobile devices, which still required the
use of mandated security credentials and processes that are prescribed
in the HIPAA Security Rule and supported by the EMR vendor to provide
mobile access securely," the report notes.

Unexpected Problems

The outage occurred on July 25 when the Oklahoma Office of Management
and Enterprise Services was overseeing telecommunications maintenance
"on the state fiber, for a scheduled outage," the report notes. The
outage had an "unintended impact" on two Oklahoma VA sites, it says.

"The ODVA sites contacted the appropriate ODVA informatics team, who
reviewed the outage and the need for care and made the authorization
to enable the ability in the PointClickCare [EMR] system to allow for
mobile access for limited individuals, during the time frame of the
network outage."

Planning Ahead

Some security experts note that with proper continuity planning,
access to patient records might have been enabled without the use of
employees' personal devices.

"Replicating systems to another data center can provide access via
workstation or laptop instead of from a smartphone," Fricke notes.

McMillan adds: "Many organizations have a second tier of systems that
are not connected to the internet, or even the network full time, that
are capable of printing out the patients record or information in
emergency circumstances. What should be looked at [in the Oklahoma VA
incident] is whether the administrators' decisions were necessary as a
result of poor prior disaster recovery/business continuity planning.
While the decision to take the risk may have made sense presented with
the circumstances, those circumstances may have been different had
more thorough planning been accomplished."


More information about the BreachExchange mailing list