The feds want to help you use your smartphone or tablet to store, process, and transmit patient information—and keep it safe from breaches that can cost you big. They want to help you make it as easy and cheap as possible, and they suggest ways you can use easily available tools (some of them open source) that are interoperable with software you’ve already invested in. Bonus—they’ve thrown in a checklist to help you grill your HIT vendors like a pro.
The draft guidance doesn’t come from the usual government stooges we’re all used to hearing from in health care. It’s from the the National Cybersecurity Center of Excellence and part of NIST, a non-regulatory arm of the Commerce Department.
It’s not beach reading. It’s a hefty resource filled with flow charts, server diagrams, and loads of links to best practices that you can share with your practice manager, IT guy, or HIT vendors. Let the IT folks read it at the beach. They’ll love it.
What kinds of security risks expose patient information to breaches? EHR is much more practical and effective if clinicians can use mobile devices, but with ease of use comes vulnerability. The NCCE created scenarios and tested solutions for three broad risk categories:
- Lost or stolen devices.
- Clinicians who inadvertently download malware or use an un-secure Wi-Fi network, exposing PHI to evildoers.
- IT support teams that don’t have all their ducks in a row. For example, they might have faulty access control or enforcement that lets evildoers in.
Bonus Tool for Eye Care Leaders: Questions to Ask Your EHR Vendors
At the very end of this section, NCCE provides a cool tool to help you plan and shop for HIT solutions that reduce the risk of breaches. Here’s our abridged version, along with links that refresh your memory on the geek speak if you need it.