Home

  • Home
    • » e-Newsletters

Beware of patient/visitor technology use

HIPAA Training Advisor, July 27, 2006

Parents use laptop computers to look up their child's condition, giving them valuable information that will assist their decisions about treatment. New mothers snap pictures of their babies with a camera phone to send to relatives who aren't able to visit. Visitors use small flash drives to bring in work, allowing them to visit loved ones without falling behind at their jobs.

However, each beneficial patient/visitor use of these technologies has a harmful counterpart. For example, a visitor might hack into your clinical wireless network with a laptop, surreptitiously snap pictures of patients or computer screens with a camera phone, or quickly download ePHI from an unattended workstation onto a small flash drive.

As the technology that patients and visitors use becomes more sophisticated, it becomes harder to recognize and respond to the risks-especially to threats not on your radar, says Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA. "With the growing public use of these type of devices, there's definitely a risk, but it's really hard to figure out how to respond." Inpatient facilities are particularly at risk because visitors come and go with more freedom and patients are in your facility for lengthy periods, Borten adds.

Respond to three threats
It's probably impossible (and of questionable value) to collect patients' and visitors' devices at the door. Instead, take reasonable measures to mitigate the risks these devices pose. Borten and Bill Miaoulis, principal at Phoenix Health Systems in Montgomery Village, MD, give advice to deal with the following technology:

  1. Camera phones. These gadgets are increasingly the norm for cell phones, opening up the danger that a camera-phone user will snap a picture of someone in your facility or of data on a computer monitor-and you might never know.

    Post signs to remind patients and visitors that unauthorized camera use is not permitted-including taking pictures with a camera phone. Also be on the lookout for privacy breaches. Make sure you know the appropriate response if a patient says that someone took his or her picture without permission (e.g., alerting a security guard).

  2. Wireless devices. These can include Internet-enabled cell phones and laptops that might allow a user to access your clinical network. Your organization may already regulate wireless devices out of concern that they will interfere with clinical devices; however, this practice is falling out of favor. Borten says that wireless devices and hotspots in your facility can create two types of threats:
    • Users seeking free Internet access through your network
    • Users seeking unauthorized access to your data for malicious reasons

    Both can be a threat. Users seeking free access may download movies or programs that use up your network capacity and are harmful, and malicious users are a threat by definition. Guard against this by establishing a secure wireless network. For example, make sure you change the default settings (e.g., factory-setting password, out-of-the-box encryption set to off). Miaoulis also suggests creating a segregated wireless network for visitors and patients to use.

    Also pay attention to other network threats, such as insecure network hookups in publicly accessible conference rooms, Borten says. A malicious visitor pretending to be part of your work force could use these ports to his or her advantage. Don't allow open hookups, and question suspicious users.

  3. Flash drives. Small thumb drives, which can attach to key chains and hold large amounts of data, are a risk with patients and visitors because they can use these devices to quickly and maliciously download ePHI from unattended and insecure computer stations. "If you have a patient or a visitor who has malicious intent, I think it's pretty easy to walk through a hospital and find a workstation that's logged on, connected to the network, unattended," Borten says.

    Secure your end user computing environment according to sections 164.310(c) and 164.312(a) of the security rule, making sure that you log off of the network session when leaving, refrain from posting passwords, and lock up all sensitive papers, materials, and devices.

Editor's note: Adapted from "Beware of patient/visitor technology use," Briefings on HIPAA, August 2006.

Most Popular