Guest post by Chris Strammiello, vice president global alliances and strategic marketing, Nuance Communications.
Every healthcare IT professional is already thinking about mobility and security in general, but not all consider their relation to document management. A single piece of paper could contain immeasurable amounts of sensitive data and even protected health information (PHI) that, if somehow found in the wrong hands, could present major HIPAA violations. So, how will document imaging impact healthcare technology?
The Mobile Game-Changer
As healthcare organizations transition their processes from paper to electronic workflows, mobile device use will increase. From patient registration to discharge and beyond, mobile technology simplifies patient communication via e-prescriptions, online scheduling and automated appointment reminders.
Productivity-enhancing capabilities like barcode scanners, e-forms and e-signatures also benefit practitioners by improving on-the-ground access to clinical documents and reducing manual document handling. Plus, mobile devices can curb printing costs through the implementation of pull printing, which holds a print job on a server until the user authenticates its release at the output. Ultimately, for the patient, all of these advantages translate into more time for quality interactions with their doctor; for the hospital, significantly streamlined processes and lower costs.
We also expect to see an increased use for mobile devices in medical instrumentation. Take, for example, the advancements brought to speech therapy with the utilization of a tablet’s microphone during a session. Previously, patient testing would have been done with a much larger and more complex device that would produce less data about the quality, pitch and frequency of the voice. Not only are mobile devices simplifying day-to-day workflow within the healthcare industry, but they will also revolutionize the actual healthcare practice.
Smarter, Simpler and Even Spoken Security
Alas, as with all technological advancements, security remains an essential question mark. Unfortunately, the smartphones, tablets, laptops and even multifunction printers (MFPs) that increase access to patient information are also some of the biggest security vulnerabilities in EHR implementations. In fact, theft or loss of portable and unencrypted devices is the leading source of reported HIPAA data breaches and fines. Even further, as the U.S. Department of Health and Human Services now defines office copiers and printers to be actual workstations, IT professionals must secure them in the same way they do computers.
With all this in mind, both physical and technical safeguards must and will be improved in the near future, starting with the embrace of solutions that provide two-factor authentication. Commonly used in financial services, two-factor authentication combines a password with something you know, like the answer to “What is your mother’s maiden name?,” or something you have, like a fingerprint. We can expect such biometrics, including voice commands, being more commonly used as a second authentication factor in the near future. Long gone are the days of scanning your ID card to credential a print release – users will simply speak to the printer to verify who they are.
Guest post by Chris Strammiello, Vice President of Global Alliances & Strategic Marketing, Nuance.
The growing use of smart devices at the point of care exacerbates the dual, yet contradictory, challenges confronting hospital IT directors and compliance officers: Making patients’ health information easier to access and share, while at the same time keeping it more secure.
A major problem is that there are just too many touch points that can create risk when sharing protected health information (PHI) inside and outside of the hospital. In addition to securing communications on cell phones, tablets and laptops, these tools can send output to smart multi-function printers (MFPs) that not only print, but allow walk-up users to copy, scan, fax and email documents. This functionality is why the Office of the National Coordinator for Health Information Technology now defines MFPs as workstations where PHI must be protected. These protections need to include administrative, physical and technical safeguards that authenticate users, control access to workflows, encrypt data handled on the device and maintain an audit trail of all activity.
Accurate, Effective and Secure Use of Patient Information at Point of Care
Hospitals need to adopt an approach that automatically provides security and control at the smart MFP from which patient information is shared and distributed. This approach must also support the use of mobile computing technologies, which are helping to bring access to patient information and electronic health records (EHR) to the point of care. Advanced secure information technology and output management solutions can help hospitals protect patient health information as part of achieving HIPAA-compliant use of PHI with software by adding a layer of automated security and control to both electronic and paper-based processes. These solutions can minimize the manual work and decisions that invite human error, mitigate the risk of non-compliance and help hospitals avoid the fines, reputation damage and other costs of HIPAA violations and privacy breaches.
With this approach, vulnerabilities with capturing and sharing PHI are reduced with a process that ensures:
Authorization — only authorized staff can access specific devices, network applications and resources with password or smartcard based authentication. Network authentication is seamlessly integrated with the document workflow and to ensure optimal auditing and security, the documents containing PHI are captured and routed to various destinations such as email, folders, fax and EHR systems.
Authentication — user credentials must be verified at the device, by PIN/PIC code, proximity (ID), or by swiping a smart card access documents containing PHI. Once authenticated, the solution controls what users can and cannot do. It enables or restricts email or faxing and prohibits documents with PHI from being printed, faxed or emailed.
Encryption — communications between smart MFP’s and mobile terminals, the server and destinations, such as the EHR, are encrypted to ensure documents are only visible to those with proper authorization.
File destination control — simultaneously monitors and audits the patient information in documents, ensuring PHI is controlled before it is ever gets to its intended destination.
Content filtering — automatically enforces security policies to proactively prevent PHI from leaving the hospital by filtering outbound communications and intercepting documents – rendering misdirected or intercepted information unreadable to unauthorized users.
Chris Strammiello, vice president of marketing and product strategy, Nuance.
Patient admissions and discharge processes implemented at many hospitals today are rife with vulnerabilities and potential HIPAA violations. One of the greatest challenges hospitals face is how they can successfully deliver on dual requirements to make the information in a patient’s electronic health record (EHR) more accessible while at the same time making it more secure, especially because of their reliance on paper, analog fax machines and unmonitored multi-function devices (MFDs).
Every time a document or form is copied, scanned, printed, faxed or emailed — on either an analog fax machine, digital MFD or mobile phone or tablet — a patient’s protected health information (PHI) can be accidentally exposed or intentionally compromised. In light of this, federal standards have now defined digital MFDs as workstations, where PHI must be protected with administrative, physical and technical safeguards that authenticate users, control access to workflows, maintain an audit trail of all activity and encrypt data at rest and in motion.
Healthcare organizations need to add a layer of security and control to electronic and paper-based patient admissions and discharge processes to help minimize the manual work and decisions that invite human error, automatically mitigate the risk of non-compliance and avoid the fines, reputation damage and other costs of HIPAA violations and privacy breaches.
As hospitals are rapidly approaching an FY 2015 deadline for meaningful use, they must demonstrate their “meaningful use” of certified EHR technology, including the ability to protect patients’ health information, or face reduced Medicare payments. The recent HIMSS Analytics survey found that despite the vast majority of hospitals reporting progress toward Stage 2 EHR, barely half of them — just 54 percent — were yet capable of protecting electronic health information, a required Core Objective in Stage 1.
Acting under provisions of HITECH, the Department of Health and Human Services Office of Civil Rights issued new rules in 2013 that enhance patients’ privacy protections, expand individuals’ rights to their health information and strengthen the government’s ability to enforce the law. One new development from these rules is that a security risk assessment tool prepared by the Office of the National Coordinator for Health Information Technology (ONC) mentions copiers 15 times as being workstations where PHI must be protected with administrative, physical and technical safeguards that authenticate users, control access to workflows, encrypt data handled on the device and maintain an audit trail of all activity.
Hospitals also need to conduct a risk assessment to identify threats and vulnerabilities (including copiers), implement and train workers in data loss protection (DLP) technology and procedures, and establish security incident reporting.