By: Byron Acohido

SEATTLE — U.S. physicians and hospitals are in the digital dark ages when it comes to using the latest mobile devices and Internet services to deliver patient care.

As a result, U.S. hospitals are absorbing an estimated $8.3 billion annual hit in lost productivity and increased patient discharge times, according to a Ponemon Institute survey of 577 health care professionals, released Tuesday to CyberTruth.

Hospitals continue to struggle with security and privacy concerns arising from the mainstreaming of social media at a time when federal rules carry the threat of steep fines for violating patient privacy.

Q&A: Why healthcare services lag digitally

The study, sponsored by tech security firm Imprivata, shows that clinicians waste an average of 46 minutes per day waiting for patient information. The main reasons: reliance on inefficient pagers, no Wi-Fi access, deficient e-mail and bans on use of personally owned devices.

That adds up to a productivity loss of $900,000 per year for the typical hospital — or more than $5.1 billion annually across the health care industry.

“The only industry that uses pagers pervasively is health care,” Imprivata CEO Omar Hussain says. “Everyone else has moved to forms of communications that are faster and quicker.”

Hospitals fritter away an additional $3.2 billion by continuing to rely on clunky communications systems as part of the patient discharge process. An estimated 37 minutes of the average discharge time of 102 minutes is due to waiting for hospital staff to respond with information necessary for the patient’s release.

This lengthy discharge process costs the U.S. hospital industry $3.2 billion annually in lost revenue, the study found.

“If the technology was a little better and less restrictive, that’s where the value add would occur,” says Larry Ponemon, of the Ponemon Institute. “The goal is to maximize face time with patients. I think that could be achieved by having better technology.”

Beaufort Memorial Hospital, a 197-bed facility in Beaufort, S.C., with a staff of 1,300, including 150 physicians, is a case in point.

The hospital recently implemented a secure-texting system that enables doctors and nurses to use text messaging on personally owned iPhones for business communications. The fix was simple: a Web application, downloaded from the Apple Store, that encrypts all messages and stores them in an archive that can be audited.

“The manufacturing and banking industries have been doing these things for a long time,” says Edward Ricks, Beaufort’s chief information officer. “These technologies aren’t new. It’s just that the culture for using them to improve workflows hasn’t happened in hospital culture.”

Beaufort also replaced its aging in-house network, in which doctors had to memorize multiple logons to access records in different departments. Today, the hospital uses a new “virtualized desktop” and “single sign-on” system. Simple computing devices are located in all rooms and at all nurses stations. Each staffer has a single logon to access records in different departments, and can do so from and device.

“We’ve seen a great improvement in workflows for physicians and nurses,” Ricks says. “Folks will do the right thing if you give them the right tools.”

The Obama administration has supplied a juicy carrot for others to follow suit. In 2009, President Obama signed into law the Health Information Technology for Economic and Clinical Health (HITECH) Act, allocating $19 billion to promote the wider use of electronic medical records.

Under a federal program referred to as “Meaningful Use,” doctors can get reimbursed for demonstrating increased adoption and use of electronic medical records.

“Meaningful use is forcing the health industry to adopt new technologies to make more patient information available in real time and improve communications,” says Hussain.

Sweeping change is not likely to happen overnight. Jeremy Delinsky, chief technology officer at Athenahealth, which supplies electronic medical record systems, notes that there is no infrastructure for physicians to easily share patient information.

Someone from, say, Boston, who falls ill while on vacation in Phoenix, would have a difficult time getting the family physician to send health records to the attending physician in Arizona. This could present enormous problems for patients with chronic conditions or complicated medical histories, he says.

“Health care is incredibly complex,” Delinsky observes. “Technology innovators must contend with regulatory restrictions and run interference with insurance companies. These compounding factors make it very difficult to digitally advance the way patients receive care.”

Companies across all industries are creating logical controllers and utilizing intelligent network segmentation to create robust BYOD platforms. Why is this happening? The goal is to create a happier and a more efficiency user.

According to a recent Cisco Partner Network study (titled BYOD Insights 2013), a mere 36 percent of healthcare respondents say their employer would be prepared for BYOD issues. The facts are clear – healthcare is a whole different sort of infrastructure. Within the healthcare world, there are thousands of associates and numerous different connection points. All of these have to be controlled and a BYOD policy on top of an existing infrastructure seems too challenging to undertake and manage, let alone secure. However, with modern IT consumerization and BYOD control technologies, deploying a robust BYOD environment doesn’t need to be challenging. With that in mind, don’t block BYOD; learn to secure it and control the environment.

Create security – BYOD and security policies can now be applied at numerous levels. Organizations now have the option to control more than just the device. Modern IT consumerization control technologies can help healthcare organizations secure physical devices as well as the data and workloads they access. Next-generation security platforms are much more than just a buzz term. These are virtual appliances and servers which are deployed within a healthcare organization. They serve specific functions to secure and help deliver data to the end-user. The key to understand is that these appliances and services are highly agile. For example, in deploying a XenMobile solution – not a single physical server is required. Every key component can be deployed as a virtual machine or a virtual server appliance

Simplify management – The original challenge in moving towards a BYOD control platform was the additional management it created. Now administrators are able to control everything from email flow to file sharing access from one console. Furthermore, these management platforms can be integrated with other network security components. For example, application and network delivery controllers such as Application Delivery Controllers (ADC) or Network Delivery Controllers (NDC) can be the direct front-end to a BYOD control policy.

These appliances are able to do device interrogation to ensure that specific security policies are applied. Is the user coming in from a rooted device? Does the device have AV? Is the user coming in from a secure connection? What is the geo-location of the device? All of these can be set as rules to either allow or prevent a device from access the network. Once it is connected, however, administrators are able to control what applications and what data is actually delivered to the end-point. Should that device be lost or stolen – security and BYOD administrators are able to locate the device and wipe it. Here’s the great part, BYOD controls allow you to segment personal and corporate data. This means that a lost device can either be wiped in full, or just have the corporate data remove.

Empower the user – This is, without a doubt, one of the best benefits of moving towards a secure and controlled BYOD platform. The idea isn’t just to control the application and workloads being delivered to devices. In reality, the overall goal isn’t really even to control devices. It’s to create a more efficient environment that empowers the users. Whether it’s a nurse, a doctor or an associate – their ability to quickly access information from a personal device may help them with their roles within the organization. More and more healthcare organizations are deploying device-controlled iPads to help with diagnostics and fast medical record access. By allowing users to access information that they deem vital from a personal device administrators are creating a workforce which revolves around the concept of “work better, live better.”

Overly-structured IT environments are now seen as dated. Advanced data loss prevention (DLP) and Intrusion prevention systems (IPS) engines further help lock down an environment and help prevent data loss. Modern BYOD control technologies allow administrators to retain granular control over devices, applications and data while still delivering a powerful platform to the end-user. There can still be a lot of control as well as user transparency.
More and more users are going to request the ability to use their own devices to access healthcare workloads. This could be a file or an entire application. New BYOD technologies are truly creating a more secure and robust deployment strategy. These technologies are leading the way in IT consumerization, application, and workload delivery controls. If there is still a nervous feeling around deploying a full BYOD solution, there are other options as well. With virtualization and the ability to create sandbox environment, administrators can spend just a bit of time setting up a proof of concept (POC) to learn about BYOD control policies. From there, this environment can be integrated into production once all testing is complete.

Falling behind on user trends and BYOD can, in the longer term, actually begin to reduce productivity within a healthcare organization. With new abilities to secure a BYOD environment and simplified administrative tasks, more healthcare environments should look into deploying an intelligent end-user device management platform; one that’s not blocked – but secured and controlled.

Everyone uses text messaging outside of the office. Whether to text a spouse, “could you pick up the bacon?” or text a colleague, “I’ll be 10 minutes late,” texting is super convenient and often times easier than making a phone call.

But using text messaging in the clinical setting, to communicate with patients or colleagues, requires a greater level of care. Thanks to HIPAA, the act of sending short messages is treated the same as sending an e-mail. Security measures such as encryption must be put into place to shield protected health information from being usurped by hackers or other third parties. Also: What might seem innocuous to a physician or practice manager could potentially violate HIPAA rules, depending on the content of the message or what information is revealed.

“If a clinician decides to send a text message rather than speaking to the patient directly, doing so could violate HIPAA,” Sharona Hoffman, professor of law and bioethics and co-director of the Law-Medicine Center at Case Western Reserve University School of Law in Cleveland, told Physicians Practice. “A violation would occur if the patient didn’t agree to this mode of communication and someone other than the patient saw the message, such as a child, friend, or spouse. Such a disclosure could have serious consequences for a patient if the third party learns private and sensitive medical information about the person.”

All of these concerns have fueled the market for secure messaging applications that allow doctors and other healthcare workers, as well as administrative staff, to text each other and patients without worrying about violating privacy laws.

One of the vendors in this emerging space is TigerText, which offers secure mobile messaging platform that helps healthcare organizations and other businesses improve work flow and reduce risk. At HIMSS13, TigerText unveiled a new service called TigerConnect, which lets any organization use the power of secure messaging to reach any colleague, customer, or partner in real time.

By using the platform, which “feels like BlackBerry Messaging for the enterprise,” physicians can coordinate care with each other through messages that are encrypted at transit and at rest, CEO Brad Brooks told Physicians Practice. The platform also allows clinicians to send messages based on their respective corporate e-mail addresses in lieu of personal phone numbers.

“A lot of physicians don’t want to give out their phone number,” said Brooks. “This is the way for them to participate in a [text conversation] without having to do so.”

While using an intra-office messaging app might appeal to some practices, others want to be able to leverage the convenience of text messaging for their patients. Two potential examples : practice staff sending appointment reminders to patients, or physicians using text messages answer basic patient questions.

In addition to using a security messaging app, practices might want to consider other measures.

“Even an appointment reminder could violate HIPAA because it would reveal that a patient is seeing a particular doctor [such as] a psychiatrist [or] fertility expert,” said Hoffman. “If healthcare providers want to text patients, they should get patients to sign an agreement that this is an appropriate method of communication.”

Handling healthcare security goes beyond just the technical side, as privacy and security compliance is critical to both data breach prevention and response plans. Experian Data Breach Resolution and the Ponemon Institute released a report today, titled Is Your Company Ready for a Big Data Breach?, that is composed of responses from mainly health and pharmaceutical privacy and compliance professionals as well as those from retail and financial services.

All 571 respondents have experienced at least one data breach and 52 percent have dealt with multiple breaches and most have 1,000+ employees in their organizations. They explained, among other items, their understanding of what happens as a result of a data breach, avoiding a material data breach and data breach preparedness plan. Here are some of the key findings:

- 76 percent of respondents expect to have a data breach that results in the loss of customers and/or business partners and 75 percent say it will result in negative public opinion

- Communications issues: Organizations can prevent negative opinion and customer trust losses by communicate properly with those patients who have been affected by a breach. However, a mere 21 percent of respondents have an internal communications team trained to assist in these matters. And 30 percent of respondents reported that their organizations train employees on how to respond to breach questions.

- Scope: 23 percent of respondents reported they can feel confident in determining the potential or actual harms to data breach victims and only 26 percent said they believe they can accurately decide which data breach victims were truly affected or harmed.

- Mobile: 78 percent allow BYOD, but only 61 percent test the devices before connecting to networks or enterprise systems.

- Lack of encryption and authentication: 44 percent see their organization as effective in user authentication and even fewer (43 percent) changes access rights soon after an employee leaves or is terminated. And 46 percent do not encrypt their data.

Missing links to data breach preparedness

Only 61 percent of respondents have a data breach plan on the ready and 67 percent have a dedicated breach response team in place. Experian and Ponemon found that are missing these items as part of forming these breach plans:

* Require mobile devices to be tested for security prior to connecting to networks or enterprise systems.

* Improve access and authentication practices to make sure that only the appropriate employees and contractors have access to its information systems and promptly change access rights of employees and contractors when they change jobs or are terminated.

* Encrypt sensitive or confidential personal and business information stored on computers, serversand other storage devices.

* Routinely test and inspect the security of applications and operating systems security.

* Monitor information systems for unusual or anomalous traffic that pose risks to the network and enterprise system.

* Establish a privacy and/or data protection awareness program for employees and other stakeholders who have access to sensitive or confidential personal information.

* Establish processes that will make it possible to determine who was affected by the breach so that there is no over-reporting or under-reporting the incident. Also, create processes that will restrict or limit disclosure of the incident prior to completing all required analyses and investigative steps.

* Improve the quality of communication with victims. This should include having an internal communications team trained to assist in responding to victims.

* Train customer service personnel on how to respond to questions about the data breach incident, verify that contact with each victim has been completed and have a process for receiving feedback from victims about the quality and responsiveness of the notification.

According to a recent study performed by the Ponemon Institute, nine out of 10 hospitals in the United States have suffered from an intrusion or data breach at some point in the last two years. As a result of dramatic changes in patient information management and security risks,today’s healthcare IT industry has drastically transformed. Government regulation and technology advances have fueled explosive growth in creating and storing protected healthcare information (PHI). To prepare for the new threat landscape that is targeting patient data, healthcare organizations must understand the risks of noncompliance and how verified, secure, and cost-effective technologies will help meet Health Insurance Portability and Accountability Act (HIPAA) requirements.

The Risks of Noncompliance

The healthcare industry is well prepared for many types of emergencies and problems, according to the 2012 National Preparedness Report conducted by the Federal Emergency Management Agency. However, the same study found that by and large, healthcare providers are not ready to face a cybersecurity attack.

According to the report, cybersecurity “was the single core capability where states had made the least amount of overall progress.” Only 42 percent of state officials believed that they were adequately prepared. According to the same report, just under two-thirds of all U.S. companies have sustained cyberattacks over the past six years and, between 2006 and 2010, the number of reported attacks in the U.S. increased by 650 percent. At the Aspen Security Forum in May 2012, Keith B. Alexander, head of the National Security Agency and the new United States Cyber Command, stated that the U.S. has seen a 17-fold increase in attacks against its infrastructure between 2009 and 2011.

In this tumultuous environment, compliance with HIPAA requirements is a top priority. Prior to 2009 and the signing of the Health Information Technology for Economic and Clinical Health (HITECH) Act, there was a general consensus in the healthcare industry that HIPAA had not been rigorously enforced. Under HITECH, healthcare providers may now be penalized for “willful neglect” if they cannot demonstrate reasonable compliance with the Act. These penalties can extend up to $250,000, with fines for uncorrected violations of up to $1.5 million.

Under some circumstances, HIPAA’s civil and criminal penalties may also now include business associates. While an individual cannot sue a provider, the state attorney general may bring an action on behalf of state residents. Additionally, the U.S. Department of Health and Human Services (HHS) is now required to conduct periodic audits of covered entities and business associates. This means that healthcare providers must have systems in place to monitor business practices and relationships to assure consistent security for all medical information.

In addition to these penalties, providers face significant risks to their business if information systems are accessible to attack. In the healthcare industry, such threats may take a variety of forms. The Kern Medical Center in Bakersfield, CA, was attacked by a virus that crippled its computer systems. The hospital took about 10 days to get doctors and nurses back online. During an attack on a Chicago hospital, a piece of malware forced the hospital’s computers into a botnet controlled by the hacker—and the hospital was still dealing with the consequences of the attack a year later. In addition, the DoD is facing a multi-billion-dollar lawsuit based on the theft of a computer tape containing unencrypted personal health information from an employee’s car. The Veterans Administration (VA) waged a two-year war against intrusions into medical device and wireless networks, including picture archiving and communication systems (PACS), glucometers and pharmacy dispensing cabinets.

By having secured management of medical information, patients will be protected against identity theft. At the same time, information needs to be made available quickly when needed, such as to emergency personnel. The resulting benefits are critical for keeping the business competitive:

• Better quality of care for the patient
• Improved patient outcomes
• Increased productivity and workflow efficiency
• Better information at the point of care
• Improved and integrated communications between doctors and patients

Encryption as the Key to Compliance

Encryption tools convert the information in a file or document into an unreadable format before being sent, and then decrypt the content at the other end so authorized personnel can use it. To meet the HITECH Act requirements, encryption must be implemented within both the main service provider network and its associated partner networks. Successful use depends upon the strength of the encryption algorithm and the security of the decryption “key,” or process, when data is in motion (moving through a network, including wireless transmission) or at rest (in databases, file systems, or other structured storage methods).

To achieve compliance with the HIPAA standard, healthcare providers are increasingly turning to verified, certified network security products and architectures. The HHS recommends products certified by the Federal Information Process Standard (FIPS) 140-2 encryption standard to protect healthcare data. Already mandated by the U.S. Department of Defense (DoD) for encryption, FIPS 140-2 is a powerful security solution that reduces risk without increasing costs.

According to the Federal Information Processing Standards Publication, FIPS-140 is “applicable to all agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106.”

Fully FIPS-140 compliant technologies provide organizations with a security level that will remain compliant even after 2030, unlike older cryptographic systems.

Instilling a New Level of Confidence

Organizations with completely closed networks that have no outside access may not be required to implement encryption, but they will need to thoroughly document their justification for not doing so. However, closed networks these days are almost nonexistent—any office at least has Internet access. With increased use of electronic transactions in healthcare, including e-prescribing and electronic communication, most medical organizations are using open systems and need to implement encryption tools.

Technology vendors can easily assert that a system is secure by claiming that it uses the highest encryption technologies available.  However, given the public visibility of breaches of trust, there is no reason for organizations to risk the exposure with technology systems that do not meet the FIPS 140-2 standard for information encryption. Without this validation, the network’s cryptography function has demonstrated a less than 50 percent chance of being implemented correctly.  This means there is a 50 percent chance that cryptography can be subverted. The FIPS validation process gives healthcare providers a new level of confidence in the security of their critical data, allowing them to reduce risk without increasing costs.

Among the main security challenge with healthcare BYOD security lies in the dual-use nature of mobile devices. A stolen or lost physician’s laptop will probably already have security measures built in such as whole disk encryption and authentication requirements, but smartphones and tablets, especially personal devices, often eschew these added layers of protection in favor of ease of use, simplicity and quick access.

One of the biggest dangers of BYOD is the latest crop of Dropbox-style synchronization applications. By poking a hole in an institution’s security fabric to synchronize files to mobile devices, the physician is potentially creating a new channel through which confidential patient information could leak. Many healthcare institutions have decided to shut off access to these synchronization tools until there’s a way to manage them as hospital applications with centralized control, granular permission and integration with established authentication services.

How can you prepare your healthcare organization to handle these additional security risks? What steps should you take to extend your current network security to cover these mHealth security holes? Mobile devices are simply the latest vector to threaten hospital security, but here are remedies to these threats that will satisfy both IT groups and healthcare practitioners. The following 10-point list will help you think about the framework for a BYOD policy that can help you meet your HIPAA and protected health information (PHI) security requirements.

1. Examine and update security policies. Review your current security policies for web applications (customer relationship management (CRM), email, portals), virtual private network (VPN) and remote access. Most will apply to mobile devices as well.

2. Determine devices you want to support. Not every device will meet the security requirements of your organization and you don’t want to have to test all possible platforms. Also, physically inspect devices to make sure they haven’t been jail-broken or rooted.

3. Set expectations clearly. Instituting proper security protocols may mean IT has to change physician mindsets. Security adds additional layers for an organization to work with, but this is a small inconvenience when compared to the potential harm caused by a security breach.

4. Write clear and concise policies. This should happen for all employees who want to use their personal devices. Everyone participating in BYOD should sign a terms of use agreement. Those who choose not to follow policy should not expect to use their device.

5. Create a Personal Identification Number (PIN). Make a PIN (or other client authentication) mandatory. This is the first line of defense against a lost device.

6. Enforce data encryption at rest. Any applications downloading and storing data on a BYOD device should protect that data. If a PIN or passcode is cracked, you want to make sure that data is still protected.

7. Decide on application availability. With many applications available, which do you permit? Are there specific applications or a class of applications you want to keep off the device? This can be difficult to achieve, but malware and rogue applications can cause serious damage without users realizing it.

8. Provide training to physicians and hospital staff. Make sure they understand how to use their applications, make the most of their mobile capabilities and watch for suspicious activity.

9. Search for applications with audit, reporting and centralized management capabilities.  As mobile devices become information conduits it’s important to have these. Applications with such features are easier to trace back to any potential data breaches.

10. Consider mobile device management software (MDM). MDM software can provide secure client applications like email and web browsers, over the air device application distribution, configuration, monitoring and remote wipe capability.

No single solution will solve all your BYOD issues, but a combination of policies, education, best practices and third-party solutions can help mitigate security concerns. By defining goals and setting up guidelines and policies, you can lay the foundation and flexibility you need to meet HIPAA and PHI security requirements.

Public cloud-based platforms are not good locations for health care data, correct? While that may sound right, turns out it’s wrong. As we begin to study security issues in general, we’re finding that cloud-based data storage systems are perhaps more secure than traditional on-premise systems.

From both my personal experiences, as well as published analyst reports that are beginning to emerge, I believe this to be true. I suspect that many health care CIOs are reconsidering their position on placing data within public clouds, while many others will continue to be respectfully paranoid.

The data is arriving. According to Alert Logic’s Fall 2012 State of the Cloud Security Report, the variations in the threat activity are not as important as where the infrastructure is located. The report finds that anything that can be possibly accessed from outside, whether enterprise or cloud, has equal chances of being attacked because attacks are opportunistic in nature.

The report further finds that Web application-based attacks hit both service provider environments (53 percent of organizations) and on-premise environments (44 percent of organizations). However, on-premise environment users or customers actually suffer more incidents than those of service provider environments. On-premise environment users experience an average of 61.4 attacks while service provider environment customers averaged only with 27.8. On-premise environment users also suffered significantly more brute force attacks compared to their counterparts.

Clearly, there are myths out there that cloud computing is inherently less secure than traditional approaches. Those myths are prominent in the world of health care IT Consider the nature of the data, and the laws and regulations that typically surround that data. The paranoia is due largely to the fact that the approach itself feels insecure, with your data stored on servers and systems you don’t own or control.

However, control does not mean security. As we’ve discovered in this report, and in incidences over the last several years, it matters not where your data exists, but ways of access. This is the case for both cloud-based systems and traditional enterprise computing.

The path to security in the cloud is not much different than the path to security for internal systems. Why do many cloud-based systems seem to actually do better in these studies? Typically more planning and technology goes into securing public cloud-based systems due to the assumption that security will be an issue. Internal systems may not get the same amount of planning and resources, and thus they can actually be more vulnerable.

All things considered, those running healthcare IT shops, and looking to move to cloud computing, should follow a well-defined path.

First, understand your security and governance requirements for a specific system and/or data store. In the world of health care, this typically means considering auditing, compliance, and other policies to insure that your security approach lives up to the law, as well as best practices. Look at approaches to placing the data in tiers, from the lowest level of security to the highest level of security.

Second, understand that controlling access is much more important than the location of the data. Look at how the data is accessed, and look specifically at opportunities to breach. Again, most of the data breaches occur around finding vulnerability, no matter if it’s cloud-based or on-premise.

Finally, vulnerability testing is an absolute necessity. No matter if you’re testing the security of cloud-based or traditional systems. This goes well beyond security audits; it’s actual, physical testing, typically from an outside organization.

The use of cloud-based platforms to store health care data is something that seems unnatural for most of those who run IT shops in the health care vertical. However, the emerging data seems to pushback on this notion, albeit most health care organizations should approach cloud computing with a clear security plan. If they do that, all will be well with placing data in the cloud.

This column originally appeared at Health Data Management.

California Healthcare News

You’re running late so you text a heads-up to the person you’re meeting. Your project team texts constantly and keeps the instant messaging system chiming with exchanges. It’s only natural that doctors and medical staff want the same convenience and immediacy to coordinate patient care. The issue? Risk to privacy and security of patient personal health information (PHI).

As covered entities, hospitals are under scrutiny to assure compliance with HIPAA and HITECH Rule requirements. Yet the tried-and true pager is antiquated and non-conducive to optimal workflow in a busy hospital, and the inevitability of mobile device use is apparent to all. Health and Human Services (HHS) has recently rolled out a mobile education initiative to help physicians and healthcare organizations reduce risk and protect patient PHI when using mobile devices.

The potential for more efficient workflow and the need to reduce the pager response bottleneck are what led Torrance Memorial Medical Center to TigerText, a fully encrypted, SaaS platform for secure text messaging. Torrance Memorial is using the application among physicians and case managers in Torrance Memorial Hospitalist Associates (TMHA), which handles close to 50% of all the patients in the hospital and treats up to 140 patients per day. Dr. Alexander Shen, the TMHA Medical Director, elaborates on a primary reason behind the switch to secure text messaging, “The triage of importance when a physician receives up to six pages at a time becomes not just a day-to-day problem, but also an hour-to-hour one. With a pager system, there’s no way to tell what is a true emergency and what could wait a couple of hours. We’d decided that if TigerText could work for our hospitalist group, it could work house-wide.”

People use mobile devices every day for every facet of their lives. But as Brad Brooks, CEO of TigerText, says, “You have nurses, doctors, caregivers all naturally gravitating towards text messaging via their mobile for daily communicationin their workflow. All the content lives on their phones, which creates all types of risks for PHI exposure. So we address HIPAA compliance and recipient authentication, two key concerns for the healthcare industry.”

Communication ease is facilitated through integration of the organization’s active directory into the application, so users don’t have to know the mobile number of the person they’re contacting – it can only go to the intended recipient. Because it’s internal (intranetwork), the exchange happens at a speed similar to instant messaging. Delivery and “read” confirmations let the sender know what happened and when, providing reassurance and reducing disruption. Brooks says, “Our aim is to help create efficiency in their workflow and improve physicians’ ability to respond quickly, with priority channels, while also reducing risk of unintended PHI disclosure. The platform is as simple to use as a regular text message, yet the message stays encrypted during transit and at rest.” An organization can also set a limited lifespan for messages, which means they are wiped from a mobile device after a specific period of time. The message remains within the organization’s server for records and historical purposes.

According to Shen, TigerText came out ahead of other vendors because their interface has proven friendlier, plus, “We talked to larger vendors, but none of them offered a pilotstyle program that would let us get proof of concept down before adopting it house-wide. We’ve been able to roll it out within our hospitalist group, then to the nurses and now are going house-wide.”

TMHA has also been able to streamline, and will eventually eliminate the “tether” effect of multiple communication devices (pagers, landlines, answering services) and reduce to one device. TigerText has worked with them toward complete elimination of the pager device by implementing a pager-type application feature that forwards directly to the texting application on the mobile device.

A voicemail transcription feature sends voice messages as a text, with an audio file attachment. There are multiple options and modes for sending a message, whether dialing a number or sending from another secure device. The non-intrusive nature of the application has proven popular with doctors. As Shen says, “Because we’re not playing phone tag, we are more accessible to the patients who are in front of us, yet can be truly responsive to inquiries from other doctors and medical staff while easily prioritizing care needs.” Traditional modes of contact are all covered with one secure SaaS. “We gain workforce efficiency and secure messaging, all without our doctors, nurses and other medical staff learning a completely new system or communication method.”

After compiling and publishing data for the Ponemon Institute LLC’s Third Annual Benchmark Study on Patient Privacy & Data Security, the researchers realized in addition to the growing awareness of data breaches, health care organizations could use help building best practices for preventing breaches and securing information.

Toward that end, based on the responses of the more than 400 respondents spanning 80 different health care organizations detailing how they approach privacy and security in health IT — or, in some cases, don’t approach it — Larry Ponemon, Ponemon Institute founder, and study sponsor Rick Kam, president and cofounder of health IT security consultancy ID Experts, developed advice for building compliance with the Health Information Portability and Accountability Act (HIPAA) in general and addressing patient data breach prevention specifically.

1. Increase compliance and IT security budgets, and change your organization’s outlook today. Three out of five health care organizations don’t have the budget to operationalize data breach prevention. Breaches are perceived as occasional disasters instead of daily incidents that can be stopped through prevention-minded vigilance implemented through policy, training and technology to support them. Increasing the emphasis can effect change from the top leadership levels.
2. Understand and take strides to correct medical identity theft. The study defined it as “the theft of a patient’s health credential to obtain medical treatment, services and products (devices).” It happened 1.85 million times in the U.S. in 2012, according to Kam. Unlike financial data theft, medical identity theft can affect a person’s health and safety when incorrect data is intermingled with actual clinical data — and by definition, every medical identity theft begins with a data breach. Offer some sort of monitoring and protection for patients who fall victim to it. Of the organizations surveyed, 75% do not offer protection, although most were aware medical identity theft happens.
3. Emphasize pre-breach prevention as well as post-breach response. Such a mindset among employees will be reinforced by developing metrics to measure how well patient information is being protected, and reporting to the board of directors on progress toward improving it, with one board member accountable for privacy and security. Doing so will make privacy and security compliance top-of-mind for employees instead of buried somewhere in a host of other compliance or IT initiatives.
4. Make privacy assessments and data security risk assessments separate annual events. In the HITECH Act era, during which health care organizations are bringing new applications online and using new business associates for IT support (such as cloud vendors), it’s not only a good idea, it’s the law.
5. Update policies and procedures to include mobile devices, health information exchange and cloud usage. Ponemon’s study revealed that in the absence of strong policy, employees will use potentially unsecured, free Web services to share patient data and make it accessible on their mobile devices. They’re convenient, yes, but unlikely to be HIPAA-compliant.
6. Keep incident response plans up-to-date. That means testing them, too, on a regular basis.
7. Conduct a mock HIPAA compliance audit. That way you’ll be ready if your organization is audited in the federal program piloted in 2012 and set to go live in 2013.Not only will it serve as a dress rehearsal for when the auditors show up unannounced, Kam said, but “more importantly, it will force a lot of the right questions to be asked of the management team so they can focus their efforts on where to spend [their energies] on risk mitigation strategies.” A former auditor himself Ponemon concurred, adding audit programs in general force a higher level of accountability that might not already be present in organizations, because it creates real consequences for policy noncompliance.