Truth be told most of us love our nifty little gadgets and we feel like we just can’t live without them. And now more than ever Centricity mobile access is being requested. That’s where BYOD (Bring Your Own Device) comes in…
When staff is able to access company or Centricity Hosting using their own mobile devices, over your wireless network, it can be a win-win scenario… Centricity mobile. The practice saves money by not purchasing additional smartphones, iPads, laptops etc., and the staffers can actually be made more productive with easier access to workplace resources via Allscripts or Centricity Hosting. Organizations facing increasing pressure from staff and management to both allow BYOD to enable Centricity mobile access need to make sure it comes up with good practices to govern its BYOD policies.
Check out these eye-opening and somewhat scary statistics.
- 78% of companies say there are more than twice as many personal devices connecting to corporate networks now than compared to two years ago
- More than 10 billion personal mobile devices expected to be in use by 2020
- 81% of Americans use their personal mobile devices for work
- 66% of workers say their organization has not yet implemented a BYOD policy
- 35% of employees store work email passwords on their phones
- 37% of employees haven’t activated their auto-lock feature
- Less than 10% of organizations are “fully aware” of all the devices accessing their network
Stat Sources: Gartner, Checkpoint, Ovum, IBM, Entersays, Vertic, Motorola, Harris Poll, Magic Software.
Let’s look at some of the Centricity mobile device basics that you will need to understand and address in your practice, in order to remain compliant with the latest HIPAA, MU2 and other governmental regulations regarding ePHI and sensitive information.
Centricity Mobile Access
First up, does all staff need to have the privilege of a company email, application, and wireless setups on their devices? There should be a clear business or clinical reason for access e.g. providers who need 24/7 access to Centricity or Allscripts EMR charts in as many ways they can, managers who need 24/7 access to company email, etc. Those staffers who generally complete their work within the workday, onsite, will have less need for Centricity mobile access and will likely just cause increased load on your wireless network and internet bandwidth. And let’s not even go down the path of streaming music and videos, distractions that can be allowed to staff that would then decrease productivity…
The first line of security and HIPAA compliance is that every phone, tablet, notebook, and desktop computer must have a good password or finger-swipe lock or login configured, no exceptions. This will keep out finders of the lost mobile device, plus keep out family members who might wander in and quickly find themselves viewing sensitive patient info they should not have access to. I’m reminded of the doctor who one evening had his kids ask him what was wrong with a famous patient whose name they recognized – the kids had been allowed to play on the iPhone and bumped into sensitive emails! Not good. If a device is going to touch ePHI, it must be secured to only those authorized to access the ePHI.
In addition to password protection, many regulations are now calling for encryption of devices that can be most easily lost or stolen, so that the drives and chips that store the sensitive data cannot be pulled out and accessed from other computers. Good news is that current smartphones including Androids and iPhones 3GS or newer have encryption capabilities right out of the box, by configuring that passcode and then sometimes enabling within settings. You would have to investigate what is required for your particular phone/staffer phones and require settings accordingly. More recent Apple and Windows notebooks come with encryption options as well onboard, while older notebooks can be retrofitted with third-party disk encryption software – more on this in another blog shortly.
iPhones, iPads, Androids and other devices with GPS have applications that can easily be downloaded and installed that track and hopefully recover a lost device, and these can be a required policy for BYOD staffers. With the “Find iPhone” app, for example, you connect a device to iCloud and then login to the iCloud website from any other computer and locate the device on a map with surprising detail and have it make an alert sound (great for finding your phone in your home!), display a message you type, lock the device, or in worst case remote wipe all your info and apps from the device to keep from prying eyes.
If you determine that a device is lost for good, remote wipe capability becomes critical so that your personal or practice information doesn’t get compromised. A carrier can initiate this from a store, the owner of the device can initiate from a preinstalled app (discussed above), an email administrator can initiate from Microsoft Exchange or Blackberry servers, there are several options to wipe an entire device of all personal info and return it to stock. But what if you wish to have the ability to wipe only company information from a staff device, say on termination of association with that employee, but leave all their personal applications and data intact? Then these methods won’t do, you will need to turn to third-party applications and systems such as Airwatch to manage the whole access/wipe process for your devices.
Clearly, BYOD is going to become a vital component of your any overall security policy if it isn’t already because Centricity mobile access is becoming more and more neccesary. The need to ensure that this policy is up to date and meets some of the Meaningful Use requirements can be a daunting task. At Health 1 we help clients every day become fully compliant with these HIPPA security requirements in addition to developing written audit defensible policies on IT security.