Author: Matt Ferrari
Chief Technology Officer
Use of mobile devices brings benefits, as well as vulnerability to PHI breaches
The use of mobile technology in healthcare organizations has provided a significant boost for clinician acceptance of information technology. More facilities see the trend toward “bring your own device,” or BYOD, as a force for improving care delivery. BYOD programs enable clinicians to use their own personal devices, such as smartphones, notebooks or tablets, to access a hospital’s clinical information systems, either within a hospital’s walls or offsite.
However, a BYOD approach also involves security risks. Patient information can be accessed if a clinician’s mobile device is lost or stolen. Many healthcare organizations have been cited for violating HIPAA security rules when a user’s device containing patient health information has been lost, and fines for these violations can total millions of dollars.
The best way for a healthcare provider to mitigate BYOD-related security risks is to use virtual desktop infrastructure (VDI). This approach enables clinicians to use mobile devices or other types of thin clients to access files, data and applications that are hosted on remote servers. VDI is a proven way to quickly and securely deliver applications and provide access to healthcare systems, enhancing a user’s experience and cutting costs. Cloud-based VDI has emerged as an attractive alternative to hosted on-premise VDI implementations.
Advantages of Cloud-based VDI
Until recently, most healthcare organizations hosted their own IT infrastructure, including client/desktops. While giving organizations control over their infrastructure, applications and information, this approach is expensive to install, manage and upgrade.
On-premise VDI eliminates much of the work the need to manage patches, upgrades and security for endpoint devices. In some cases it also extends the life of those assets since users don’t need the latest and greatest computing devices to work in a VDI environment. Yet IT is still responsible for managing the infrastructure itself – including security, which is critical in healthcare.
To save time and cost, many organizations have migrated to a cloud-based VDI – specifically Desktop-as-a-Service (DaaS) – as an attractive alternative to hosted on-premise VDI implementations. By placing VDI in the cloud, a service provider takes on the responsibility for all operational requirements, including management and maintenance of the VDI infrastructure. Thin clients are used to connect end-users to all cloud-based services.
VDI Enhances Security with BYOD
A cloud-based VDI approach typically is sufficient to mitigate security risks inherent in a BYOD approach. Moving the client/desktop infrastructure to the cloud places all patient information behind a password-protected firewall. Healthcare data, however, must have additional security in order to meet the requirements of the Health Insurance Portability and Accountability Act (HIPAA). Healthcare organizations considering a move to a cloud-based VDI should ensure that the security measures provided by the partner meet HIPAA requirements.
Additional security considerations include:
- Encryption – Adding another layer of protection to patient information. Encrypting hospital- managed data while in motion over the network or at rest in the data center protects the information from all unauthorized personnel.
- Multi-factor authentication – Rather than require a simple username and password, multi-factor authentication requires the presentation of two or more of the three authentication factors: a knowledge factor (something the user “knows”), a possession factor (something the user “has”), and an inherence factor (something the user “is”). After presentation, each factor must be validated by the other party for authentication.
- Role-based delivery of information – Depending on a person’s role within the healthcare environment, only certain patient information is accessible.
With such security measures in place, VDI can improve end user security without IT having to secure each individual device. Consider that protected health information (PHI) that is downloaded to a mobile device is at high risk of exposure. For example, if a mobile device containing patient data is lost or stolen, the information is compromised. Breaches of this type must be reported to federal agencies, and are very costly in terms of reputation and money.
With cloud-based VDI, when clinicians use their own devices – thin clients, notebooks, tablets or smartphones – they click on a desktop icon and instantaneously receive a virtual desktop running in the cloud. PHI is kept safe behind the data center firewall, and organizations are able to more easily meet compliance requirements.
The enablement of BYOD in healthcare is a major force in encouraging clinician use of digitized health information. The use of cloud-based VDI can play a key role in increasing provider productivity and helping to rein in IT department expenses, while mitigating growing risks of HIPAA violations and other regulatory compliance concerns.
About the author
Matt Ferrari is Chief Technology Officer, ClearDATA. ClearDATA is the healthcare industry leader in cloud computing, platform and information security services. More than 300,000 healthcare providers rely on ClearDATA’s secure, HIPAA-compliant cloud infrastructure to store, manage and protect their patient health information and critical applications. For more information on ClearDATA’s HIPAA compliant cloud infrastructure, call (888) 899-2066 or visit www.cleardata.com.