In Data Breaches in Healthcare: The New Plague, Part 2, we took a look at the value of the Electronic Health Record (EHR) and how one record goes for about $100 on the black market; way more than a stolen social security number or credit card number, which only earn $1 each. We also talked about some of the more progressive healthcare operations when it comes to security and privacy of patient records.
Now that we’re finally getting knowledgeable about securing patient records electronically, next comes the mobile movement. It is estimated that by 2020, 70% of the world’s population will own a smartphone and more than 1.2 billion tablets will be in use. The world is becoming increasingly connected and a growing number of high-value transactions and exchanges of information are moving from traditional paper environments to electronic transactions. This will be no different for the healthcare industry. Patient records will be maintained electronically, medical staff will use tablets to more easily move between patient rooms and when on remote calls.
The identification badge, with certificate-based PKI authentication is still one of the most reliable methods to secure healthcare workers, providing logical, physical and visual identification, it ensures protection of private records and unauthorized access. In addition a physical badge can be implemented in such a way to provide a ”follow me desktop” solution. Sunrise Health Region in Saskatchewan, Canada, implemented such a solution with great success. The healthcare worker inserts the badge into the card reader to start a session on the terminal and to view patient records. As soon as the credential is removed from the reader, the session is closed and the patient information is no longer visible, helping with HIPAA (Health Insurance Portability and Accountability Act of 1996) compliance. According to international HIPAA standards, leaving an unattended open workstation is a violation. Read more about physical and logical access control.
But what happens when considering mobile devices. It can be difficult to extend the same security solution to tablets and smartphones that don’t have USB or smart card slots. Many times security standards are relaxed or ignored for mobile users because solutions are limited for many devices, which is exactly what can’t happen when considering the confidential nature of healthcare records and patient privacy.
For healthcare organizations that already use a smart card badge or smart token, implementing a wireless solution would allow healthcare workers to use their existing smart cards with any mobile device. Bluetooth is the only connectivity channel implemented across different endpoints, so it would be able to authenticate on any device. For example, the healthcare worker would simply pair the badge holder with their mobile device, much like the process to pair a mobile phone in a Bluetooth-enabled vehicle. Once the devices are paired, the smart card will be recognized and processed, just as when the smart card is inserted into an internal reader on a laptop. Read more about MobilePKI.
By providing a Bluetooth solution, healthcare organizations can expand the protection of PKI, while allowing doctors and nurses the freedom of anywhere, anytime convenience of mobile. In addition to providing a second factor of authentication, PKI using Bluetooth enables employees to digitally sign sensitive documents, such as ePrescriptions.
Bluetooth Low Energy badge holders and tokens are a viable solution that healthcare organizations can easily implement into a current badge ecosystem and address the need for balance between security and mobility.
Hopefully you have enjoyed this blog series. To learn more about data breaches in healthcare, please download Top 10 Things You Should Know About Healthcare IT Security to use for a quick review.