This page contains a Flash digital edition of a book.
over its configuration. It must therefore be assumed that the device is inherently insecure. Likewise, because the device


is owned by the end user and is designed for mobility, it is unlikely that the organization will be able to continuously track the device’s whereabouts in accordance with HIPAA. HIPAA imposes some strict requirements for workstations, and it might at first seem as though these requirements would prevent the use of mobile devices. With careful planning however, it is possible to allow users to access data from their mobile devices while still maintaining HIPAA compliance.


Read the Fine Print At first glance, it seems as if the


biggest barrier to mobile device usage is the requirement to track the whereabouts of such devices. However, the requirement clearly states that tracking is only necessary if the device contains electronic protected health information. In other words, you can get around the requirement for device tracking by not storing any electronic protected health information directly on mobile devices (which you really shouldn’t be doing anyway). Any computing device that is used


to access electronic health records must be configured securely, and if a computing device stores EHRs then its whereabouts must be tracked. One of the easiest ways to accomplish this is to treat mobile devices as remote desktop clients. Rather than installing any software or storing any data directly on the mobile device, the mobile device instead establishes a remote desktop protocol (RDP) session with a computer on your network. That way, all of the electronic protected health information remains on a system that has been adequately secured and proven to be HIPAA compliant. This technique works particularly well if your organization uses virtual desktop infrastructure (VDI). In a VDI environment, users can access their regular desktops directly through mobile devices.


IMAGE © BOROBORO, KIRILL_M, PALSUR, ŠTEPÁN KÁPL / FOTOLIA CONNECTION/HEALTHCARE IT 2012.Q3 19


Scrutinize Security The other major requirement that


must be addressed is device security. HIPAA requires various safeguards for any device that accesses electronic patient data, including disposal, backup, encryption, and other policies. Because the mobile devices belong to the end users, you cannot assume anything about the device's overall security. There are two main things that


can be done to address HIPAA security requirements. First, make sure that users who are connecting mobile devices to your systems are not using single sign-on technology. In the interest of security, users should be required to manually enter their full credential set each time that they connect to the organization's computers. Another thing that you should


do is take measures to encrypt the user's session. There are several ways in which this can be accomplished. The easiest method is probably to force mobile device users to attach to your network through a VPN. If your organization has a wireless network, that network should be treated as an


insecure medium. This means setting up a virtual private network (VPN) specifically for your wireless network as a way of guaranteeing that all wireless traffic is encrypted (beyond the hardware level encryption provided by Wi-Fi) and authenticated. Allowing users to access healthcare


systems through their personal wireless devices, while still maintaining HIPAA compliance, is a tall order. Even so, it is not impossible. Implementing a secure connective infrastructure and avoiding device level data storage can go a long way toward making mobile device access feasible.


ABOUT THE AUTHOR


Brien Posey is a technical writer who has authored and contributed to nearly 3-dozen IT books and thousands of technical articles. Prior to becoming a technical writer, Posey served as a network administrator and as CIO for a national chain of hospitals and healthcare facilities.


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36