| |
|
|
|
 |
在线QQ:
 |
|
|
|
|
|
|
|
|
|
013 在工作中用自己的笔记本或手机后果严重?
日期:2015-09-20 23:11:05 来源:奥医教育
尽管出于效率,医生需要使用智能手机或平板电脑,但大多数医院或大型机构并不向医生提供公司平板电脑或手机。如果你有你自己的习惯,你喜欢用一个设备做两件事,既用于工作又用于个人生活。但你的设备访问时用的有些软件、应用程序或超链接会包含恶意的元素,导致病人数据处于被盗或损坏的风险中。
显然,“带上你自己的设备”运动对医疗职业来说,确实是一把双刃合剑。很难想像,当你用你打游戏的电脑入取患者病例时,会发生什么?
How Your Own Laptop or Smartphone Can Wreak Havoc at Work
Paul Cerrato, MA
Introduction
What happens when the computer tablet you use to access patients' records is also the same one you use to play games? It's clear that there's a potential for disaster.
In 2012, Google had to remove 10 Angry Birds-related apps from its Android Market because they contained spyware.[1]More recently, Sophos, a mobile security firm, discovered that a mobile version of Angry Birds contained a Trojan virus -- a form of malware that can turn your smartphone into a "botnet," a slave for hackers looking to infect other machines.[2]
Although doctors need to use smartphones or tablets in order to be efficient, most hospitals or large practices don't provide company tablets or phones to their associated physicians. And if you have your own practice, you're likely to have only one device that does double-duty for both work and personal life. But some of the software, apps, or hyperlinks you access on your device could contain malicious elements that put patient data at risk for being stolen or corrupted.
Clearly, the "bring your own device" (BYOD) movement within the medical profession is a double-edged sword. Physicians love their iPads® and smartphones because they provide remote access to electronic health records (EHRs) and a wide variety of reference tools to monitor drug therapy, keep track of billings, and much more. But the downside is that these devices can create havoc for medical practices, hospital data security, and individual clinicians, if not properly managed. The number of data breaches that have resulted in million-dollar fines for Health Insurance Portability and Accountability Act (HIPAA) violations is proof.
What should you do to reduce the likelihood of a breach, or to avoid having your data stolen or corrupted, and avoid problems with your practice technology or office systems?
Why Doctors Bring Their Own Devices
The benefits of mobile devices are no exaggeration. When used properly, smartphones and tablets can transform a practice and significantly improve patient care, giving physicians remote access to patient data that in the past required tedious phone calls, insecure faxes, or a trip into the office.
Joseph C. Kvedar, MD, Director of the Center for Connected Health and a dermatologist at Partners Healthcare in Boston, Massachusetts, says: "The idea of mobility extending to clinical decision-making is quite powerful. And isn't it great that I bought my own tablet or smartphone, and I can use it for work, and you don't have to buy me one."
The Security Risks Are Real
Although such innovative apps offer convenience and mobility, Kvedar emphasizes the need for security as well. To avoid having employees' identity stolen or snared by corrupted Angry Birds apps, infected e-mails, and phishing scams, medical practices need to think proactively.
At Partners Healthcare, for instance, employees routinely get a message on their mobile device to change their password at regular intervals. If Kvedar wants access to email on the Partners network, he has no choice but to comply. And if by chance he were to lose his smartphone or tablet in the mall, he's covered. "If someone tries to log on and fails 10 times, it will automatically wipe itself clean," eliminating any sensitive patient data -- and the risk for steep HIPAA-related fines.
Like many other experts in healthcare IT, Kvedar drove home the need for encryption on every device that touches a practice's records, a fact that too many practices continue to ignore. Encryption converts the information entered into a device into a string of characters, called ciphertext, that cannot be easily deciphered by anyone who doesn't have the key to break the code. Anyone authorized to read the protected text uses a decryption key or algorithm to unlock the original message. The more complex the encryption system is, the harder it is for hackers to break in, but as you might expect, the more expensive the protection becomes.
In 2012, Massachusetts Eye and Ear Infirmary (MEEI) and Massachusetts Eye and Ear Associates had to pay $1.5 million to the US Department of Health and Human Services (HHS) because a doctor's unencrypted laptop was stolen and patient data were breached. And in the case of MEEI, the problem went deeper than just a lack of encryption. The HHS incident report pointed out that the organization had not done an ongoing risk analysis to determine where their data network might require shoring up.[3]
This lack of preparedness is a recurring theme among many small to medium-sized practices. Steve Collignon, chief information Security Officer at Cardinal Health, a healthcare services company specializing in distribution of pharmaceuticals and medical products, says, "Doctors tend not to care too much about security...Their number 1 goal is treating the patient, not securing the device."
Tools That Will Help Boost Your Security
Although that priority should never change, physicians need to place security higher up on the to-do list if their practice hopes to avoid costly fines. Collignon mentions several technological tools that can address these issues. Among your options are mobile device management (MDM) software, including systems made by Good Technology and Symantec, says Collignon.
Before considering such solutions, however, hospital administrators or physicians have to decide whether they want the practice to own all the mobile devices that their providers use to access patient data, or whether they will allow doctors to connect with their own devices. In general, practice-owned devices can be made much more secure than personal devices. With that in mind, some practices will opt for the safest approach and simply insist on no BYOD.
The decision to forbid or allow personal devices into a medical practice depends on its financial resources and technological capabilities. Adequate security can get expensive, and a practice with limited resources has to weigh those costs against the pushback from staff physicians who want to use the own device. On the other hand, if you already have a contract with a computer services company, it may be able to provide the security services you need. If the practice has 1 or more tech-savvy clinicians on staff, you may even be able to secure BYOD devices without bringing in outside vendors.
Ways to Reduce the Risk
If you do allow clinicians to use their own devices, there are a couple of options for boosting security. The devices can be used as "thin clients": Essentially, this means the user can view -- but not download -- patient information on the practice's in-house servers, and no patient data reside on the device.
Another option is to allow patient data to reside on the physicians' personal device but have a set of security controls in place that can remotely remove all that information from the device if it's lost or stolen -- the "remote wipe" mentioned earlier.
Bob Dupuis, director of technical and managed services at Arcadia Solutions, a healthcare consulting firm, described yet another solution: Implement a cloud-based EHR system that's enhanced from day 1 with the encryption and related IT tools needed to allow physicians to securely access the practice's patient records from mobile devices owned by a group practice. In the process of helping one of its clients put this system in place, Arcadia "applied a standard set of hardware and software that includes security controls, centrally monitored antivirus software, and centrally monitored encryption of mobile devices, " explained Dupuis. To allow employees who wish to gain secure access at home through their personal device, the team set up a VPN (virtual private network).
Gone are the days when physicians could concentrate all of their efforts on caring for patients and leave any support services to their support staff. To remain actively engaged in patient care, one now has to remain up to date on the perils and promise of healthcare technology. Any other approach is just too risky.
原文链接:http://www.medscape.com/viewarticle/779829_3
上一篇:012 外科医生年迈不胜任我要向上级报告吗?
下一篇:014 护士有义务行CPR吗?
|
|
 |
| |
|
|
当前位置:
