Stage 2 meaningful use calls for encryption of data on end-user devices. With many clinicians, especially physicians, increasingly bringing their own BlackBerrys, iPhones, iPads, Android devices, and other handhelds, into patient care organizations for their personal clinical use—what some term the bring your own device (BYOD) movement—IT leaders could be faced with a challenging situation when it comes to securing these devices.
In a newly released whitepaper, CSC lays out a summary of key provisions in the final rule for Stage 2 meaningful use that include key additions to certification criteria. The paper is authored by Jane Metzger, principal research, and Jared Rhoads, senior research specialist, who both work at the Global Institute for Emerging Healthcare Practices, a division of the Falls Church, Va.-based CSC. The report states, “the new certification criterion requires any EHR technology that stores electronic health information on end-user devices to encrypt such information once it is no longer being actively used. So this applies to how the technology creates temp files, manages cookies, caches data.” Encryption of devices in Stage 2 meaningful use is one step further than the security risk analyses that were required for Stage 1.
“Organizations should be encrypting their laptops and tablets they put out there, and even their smartphones that are centrally managed,” says Rhoads.
Rhoads admits there are challenges with encryption for organizations that have a BYOD policy. “It’s not as easy to push out encryption requirements and capabilities to devices when they’re not centrally managed,” he says. “If you’re one of these organizations that has gone down the BYOD route, it could be a little more tricky when you have a Wild West environment. You’re going to have to offer a few different technologies to enable the encryption on the various devices. I don’t know if that is insurmountable, but as an IT department you’ll have to be a little bit more careful on that score.”
Rhoads adds it is actually impossible to push out encryption requirements to some devices. And more challenges can arise when organizations have to rely on the users to install encryption products correctly on their own devices, he says.
Device encryption is particularly important in healthcare, an industry that has seen 407 breaches involving 500 or more people and more than 19 million individuals affected in the three years since the HITECH Breach Notification Rule, according to a report from CPA professional association Kaufman, Rossin & Co. In 2010 alone, more than 7 million records have been compromised through breaches. According to the Ponemon Institute, the No. 1 cause of a data breach in 2011 was lost or stolen devices. Rhoads says that number could even be as high as 70 percent today.
Stay tuned for a more in-depth report on lessons learned from organizations that have suffered data breaches in the October issue of Healthcare Informatics.