The number of organizations providing tablet or laptop PCs to nurses and other health care professionals who provide at-home care is growing. And so are the risks to patient privacy. How much flexibility can you safely give mobile health care workers?
Traditionally, the day of a home health care worker looks something like this:
- Travel to a main office and pick up additional patient care information and scheduling changes, if there were changes from the previous day's visit
- Visit the home of each patient scheduled for the day, documenting care provided and supplies dispensed on paper forms
- Drive back to the main office to drop off care-tracking documents, time sheets for payroll, and pick-up additional patient care information and scheduling changes
The information in the care documents and payroll sheets is entered into a central billing and care system by office staff. This can sometimes take several days.
Health care doesn't seem to suffer because of this process. However, there are financial reasons a home-care provider would want to automate the administrative components.
- Home care personnel are typically paid mileage. Trips to the office cost the company money, which can be reduced if all interaction with the billing and care system is automated. As administrative travel time diminishes, there is more time to provide billable care.
- Billing costs are reduced. Use of point-of-care laptops or tablet PCs enables caregivers to directly enter care information, payroll, and supply use into a billing and care system local application. Locally stored data is synchronized at least once per day with the central system. This eliminates the multi-day data entry timeline and the cost of manual entry. Office administrators can focus staff dedicated to entering information on activities to improve patient care.
The most effective way to provide the business benefits listed is implementation of a system which supports the use of mobile devices at point-of-care. This changes how a caregiver works.
- Each evening, the caregiver connects his or her laptop to the central system. Patient care, payroll information, and supply use is transmitted and posted that night.
- Each morning, the caregiver connects his or her laptop to the central system. New patient information, changes to care plans, and other updates are downloaded. When the download is complete, the caregiver goes directly to the first patient visit.
This is all good. The company reduces cost, caregivers have more time to spend with patients, and office staff is focused on patient care activities. So what's the problem?
Patient information is on the move whether using paper forms or a laptop. In fact, using a properly secured laptop, including drive encryption, provides much better protection. So providing caregivers with a single-purpose device, a device which can only run point-of-care software and connect to the central system to synchronize information is not a big security issue. Or is it? It depends on the other "stuff" the business users want to include.
The minute you provide a laptop to an employee, a sense of entitlement seems to ensue. Entitled to what? Let's see…
- Anywhere, anytime access to the Internet, including Wi-Fi access while on the road (coffee shops, restaurants, etc.).
- Installation of a full Microsoft Office package for email, document creation, etc.
Let's take the Office issue first. I have no problem with this other than the expansion of the laptop's attack surface. Keeping a system as lean as possible minimizes opportunities for data loss. The real risk, the one that should keep security managers up at night, is Wi-Fi access to the Internet. Remember, there is patient information (ePHI) stored on these laptops.
Wi-Fi access alone doesn't scare me. Properly configured, it can provide a safe channel to synchronize information. If limited to central server access, that is. If Wi-Fi is allowed for general home or retail hotspot access, the opportunities for system compromise and resultant data leakage grow exponentially.
Yes, the standard layers of laptop protection SHOULD be present. However, relying on users to keep their devices connected long enough to obtain security patches and updates may be a problem. Further, managing laptops for users on the move is always challenging. It's better to keep the number of applications small, including security-related software. Locking the system into a single-use role is more effective than trying to chase down an errant laptop.
Just because an employee is provided a laptop doesn't mean he or she is entitled to use it for anything other than its intended purpose. Many health care providers create single purpose systems for in-facility use. Why would mobile care devices be different? And this isn't just a health care issue.
As the use of mobile devices, including handhelds, for business use increases, business managers must make it clear there should be no expectation of using them for anything other than the business processes intended. If Bill or Sally wants to surf the Web or check personal email while at Starbucks with systems containing sensitive information, consider asking them to buy their own devices, devices which do not contain patient, employee, or customer data.
The final word
No, I don't believe all laptops should be single-purpose. I wrote this post to give you something to think about. You can probably think of several ways to make caregiver systems secure, but remember there is usually a cost associated with these as well.
Too often we allow business users to dictate mobile device use, even when we know it will put the company at risk. We need to enter discussions about new mobile technology with an attitude of negotiated engagement. In other words, just because a user asks for something doesn't mean he or she should have it. The bottom line? It's about risk not perceived entitlement.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.