I was recently at a dinner party with a physician friend. Partway through the meal, he received a text message regarding a pressing patient situation. He briefly excused himself to address the text. When he returned, I jokingly inquired if he was using a HIPAA compliant secure app to communicate with his team. He laughed and showed me his device screen which had a long text conversation on iMessage.
There are two major issues with how this scenario played out. The first and foremost being the data was relayed on an unsecure app on an unmanaged personal device. Cybercriminals are becoming more sophisticated each day and they certainly make no exception to hacking data that is supposed to be HIPAA compliant. The second issue is that the physician didn’t seem to think this was a big deal. With physicians so busy all over the country, it makes you wonder, how much non-HIPAA compliant healthcare data is being transmitted every day.
There is often a fundamental break in the communication between IT leaders and physicians. Many hospitals and clinics have done the leg work to put secure clinical communications apps in place, but often the solutions simply aren’t being adopted and iMessage or WhatsApp prevails.
There are two risky scenarios we often see play out with physicians. Should these scenarios be explained clearly and consistently by IT leaders, physicians would likely take note and subsequently, take further action to secure patient data.
The Shared Family Device
The first, very common scenario we see is that somebody (in this case a physician) may have the same Apple ID for their personal device and shared family iPad or iMac. Both devices sync to the same iMessage account – which might be used for sending or receiving confidential medical data. Conversations a physician may be having with staff about a patient are appearing not only on the physician’s phone but also on the family iPad.
Corporate Credentials on a Personal Device
Most physicians use a personal device for both professional and personal communication. Who can blame them? No one likes carting around multiple devices. But in many cases, these personal devices are not managed and not secured.
Consequently, the larger problem arrives when they go to the app store, download a public app like Teams or Outlook using their personal Apple ID. Now they have an unmanaged app on an unmanaged, device that may or may not have malware or spyware. Of course, the next thing doctors do is sign-in with their sacred work credentials. If that password gets compromised, the healthcare provider is vulnerable to a breach.
Accepting Personal Devices as Work Devices
It’s important that we, as IT professionals, recognize the use of personal devices at work, especially in healthcare. There is no point in denying it, it is what it is. We need to be proactive in communicating the risks but more importantly, we need to put appropriate safeguards in place and then communicate effectively.
I recommend using the App Protection Policies and Mobile Device Management capabilities available in Microsoft Intune. This is the best solution in the industry, hands down.
This solution, paired with effective communication is key. We need to get really good at explaining the policies to protect patient data whilst respecting the privacy of the device owner. Good communication is a never-ending process, not an event.
If physicians have secure solutions that are not cumbersome to use and don’t invade their personal privacy, we find that they are very receptive. In the situation with my physician friend at the dinner party, if he had more awareness of the risk, and the option of using a secure app, I’m sure he would have chosen the secure app rather than iMessage.
Patients have entrusted their most personal information to their providers. IT leaders and Physicians need to band together to ensure that trust is not broken.
Contact us to learn more!