Pharmaceutical Market Europe • November 2022 • 36-37

DATA SECURITY

Concerns about data security are building a strong case for clinical mobility in EMEA

By Thomas Duparque

Electronic medical records have transformed the storage of sensitive information but how can the healthcare sector continue to protect patient and staff data?

Patients expect privacy, but that’s difficult to guarantee when doctors and nurses are sharing and reviewing patients’ sensitive data on their personal smartphones.

Eight in ten hospital leaders and clinicians who participated in Zebra’s latest Healthcare Vision Study confirmed that the pandemic accelerated their use of technology. And the use of electronic medical records (EMR) has steadily grown across Europe, in part due to regulations such as the General Data Protection Regulation (GDPR) that dictate how sensitive health data can be captured, shared and used. More recently, the European Union (EU) announced plans for the European Health Data Space, which will allow people easy access to their health data in electronic form, free of charge. They can easily share the data with other health professionals in and across member states to improve healthcare delivery.

EMR – when paired with the right mobility solution – makes it easier to deliver quality patient care. Doctors, nurses and other staff can immediately retrieve and review a patient’s medical history, diagnostic test results and medication plans at the bedside so they can make the right decisions when trying to diagnose or treat both acute and non-acute issues.

In fact, 88% of hospital leaders strongly agree technology helps prevent and reduce medical errors and that real-time data is essential to optimal patient care.

Andres Avila, engineer and healthcare specialist with Zebra Technologies, points out with technology, even radiologists, lab technicians, pharmacists and non-clinical staff will see a huge jump in their efficiency, accuracy, productivity and overall impact on patients. They will be able to positively ID patients at every encounter and know exactly how they need to assist.

Zebra’s vision study showed nearly half of hospital leaders allow employees to bring and use their smartphones and tablets while at work, and 36% more say they’ll give employees the option in the next year, with examples of Bring Your Own Device (BYOD) found all across Europe. For example, the UK’s NHS and the EU’s European Medicines Agency both have updated guidance on BYOD for healthcare staff and for clinical trials.

But hospitals have no way of fully locking down the millions of personal devices being used by healthcare professionals. Work profiles can offer some level of ‘containment’ when personal devices are used to log in to business systems, such as the EMR.

IT teams don’t have any control over who accesses those devices. A spouse, child or friend might have the password to the clinician’s phone, technically enabling them to get into healthcare information systems and access our sensitive data. And not all hospital policies require employees to encrypt or lockdown their personal devices, even when work profiles are used.

This is concerning for three main reasons:

  1. Telehealth is on the rise, which means mobile technologies are being used more than ever for patient care. Devices are also being used in more public places. It’s not like the doctor or nurse is always sitting in a room alone having a private conversation with you. If they’re at home, friends and family may be able to look over their shoulders or see what’s on the screen. Even at clinics and hospitals, they may be sitting in a communal space handling these appointments, so the same access risks apply.
  2. Personal health data is highly valued by cyber criminals. We know some cyber criminals are trying to steal information that could result in a financial payout via blackmail, ransoms and more. There are numerous recent examples of cyber-attacks against healthcare institutions across Europe, South Africa and the UAE.
  3. Many healthcare systems allow BYOD but don’t have sufficient security measures or privacy policies in place. Some may not have the IT resources to develop and enforce the type of BYOD compliance programme that could provide some level of confidence in mobile data security and patient privacy. Therefore, they rely more on trust – trust that workers will do what’s necessary to protect patient data.

Image

Don’t wait for legislation to catch up with today’s reality

We can’t wait for governments and legal institutions to mandate better security via legislation, or for healthcare providers to ensure the resources are in place to implement and comply with it. We must do something differently now.

For most healthcare systems, that means committing to clinical mobility solutions that give them total control over devices and the data captured, stored and shared on them. I realise when you have a lean team and even leaner budgets that it may seem impossible to take on such a big initiative. But what’s the alternative? Continue to put your patients and, therefore, your operational health at risk?

Why healthcare-owned enterprise devices are a smarter data security and patient privacy strategy

Corporate-owned clinical mobility solutions can give you total control over the ‘people, policy and technology’ factors that affect data security and patient privacy. That’s what sets them apart from personally owned devices that may or may not be corporate managed in some capacity.

Unlike personal devices, you can dictate what both clinical and non-clinical staff do with their corporate-owned mobile computers – even if they are allowed to take them home.
For example, you’ll be able to define access to healthcare systems based on each device user’s role and use a single sign-on (SSO) solution to enforce it. You’ll also be able to limit what they can and can’t do with devices connected to business email or information systems, including the EMR or those used for telehealth, staff communications and remote patient monitoring. For example, you can restrict social media or personal apps and even install an Enterprise Browser to control the websites they’re allowed to access on the device. You’ll also be able to lockdown wireless network access so they don’t accidentally connect to an insecure network that could make them – and patient data – vulnerable.

Another benefit of giving all staff corporate-owned devices is that you don’t have to give all staff their own device. For example, clinicians who travel between facilities or support patients in rural, remote or telehealth care programmes may need to always keep a corporate-owned device on them. But nurses don’t need to take a mobile device connected to the EMR or other healthcare systems home every day. Neither do porters, laundry staff, pharmacists, lab technicians, radiologists, or administrative staff.

From the patient perspective, we know patients want more visibility into their treatment plans and more control over their care because those are things we want personally as patients. However, if we’re compromising patient privacy and safety – or staff privacy and safety, for that matter – are we really helping anyone?

Don’t assume that just because it’s faster to digitalise healthcare with a BYOD strategy that it’s better for patients or staff. Doctors and nurses don’t want to be the reason patient information is stolen.

In fact, if you revoke access on personal devices and require most of your staff to use corporate-owned devices from a shared fleet (only while on the clock), you can reduce:

‘More recently, the European Union (EU) announced plans for the European Health Data Space, which will allow people easy access to their health data in electronic form, free of charge’

Patient doubt

They can see that you’re taking measures to protect their sensitive data. When they come into the clinic or hospital and see that staff are using healthcare-grade mobile devices that can only be accessed with a badge swipe, biometrics, or other secure authentication method, that helps build trust.

Your risk of cyberattacks

Limiting how many staff members can access data-rich healthcare systems, and when and where they can access them, means there are fewer opportunities for a bad actor to try to sneak in. Plus, if a device goes missing within the four walls, you may be able to use a Virtual Tether tool or Bluetooth Low Energy technology to locate it before someone finds it and steals it. And if someone tries to walk out of the building with the device, an alarm can sound. So, there are cyber-physical benefits to enterprise-grade clinical mobility solutions that simply aren’t attainable with consumer devices. When the device isn’t in use, it can be locked away in an Intelligent Cabinet.

Using just enterprise apps, you can reduce distractions and control access to personal apps so the clinician’s attention remains on patients. Plus, IT teams will likely find it easier to take ownership of a full fleet of clinical mobility devices versus trying to manage a BYOD set-up. They can develop software and apps once and then deploy in one fell swoop across the entire fleet. They can also manage device, software and network security updates consistently.

They won’t have to keep up with what’s needed for ten different types of devices on any given day, many of which may be old and out of security support. On top of that, standardising your entire workforce on a single enterprise-grade operating system (OS) makes it possible to automate solution monitoring and management, to include security monitoring and management.

The key takeaway

If someone is telling you that it’s time to get a true clinical mobility solution online and in the hands of your doctors and nurses, you should listen. Don’t start listing reasons why that’s not feasible or necessary right now. It is both feasible and necessary, if only for the sake of data security.

You have both compliance and patient obligations. If you only transition half of your operations to a corporate-owned mobility solution, you will only reduce the data security risks by 50%. There will be vulnerabilities any time the other staff members log onto an insecure consumer device, public network or unauthorised app. You need to be in a position where you can say, ‘I’ve done everything possible to secure data and protect patient and staff privacy’ as technology use becomes more prevalent.

You also need to be in a position where it’s not a heavy lift to lock down any additional technology platforms that you may sync with the clinical mobility solution in the future. If you add a new workflow app, migrate to a new EMR, add a dynamic communication and collaboration tool, integrate with real-time location systems, or connect with digital health monitoring equipment, the data accessed or shared via the mobile device should remain secure.

Thomas Duparque is Healthcare Business Development Manager, EMEA, Zebra Technologies