by Jeff Zavaleta, MD, chief medical officer, Graphium Health, and Daniel Dura, chief technology officer, Graphium Health
Discussions around security in the healthcare IT space usually center around external threats to our Healthcare IT infrastructure. Sure, this is a big area of concern and one that should not be taken lightly. Software needs to use encryption properly, it needs to protect and monitor from known threats, it needs implement best practices in infrastructure architecture as we design cloud based systems that are more accessible via the public internet.
But while these are definitely critical items, some of the biggest threats are not technical. Many times we have to deal with threats inside our organizations. This may include ensuring that we are screening and monitoring employees for nefarious behavior but the more likely situation is when good, law abiding and well intentioned employees are putting data at risk. Many times employees have easy access to large swaths of PHI data which is critical to them performing their jobs appropriately. This access is not inherently bad, but if the software is not designed to take this into account it can actually encourage a user to do things that will lead to inadvertent data disclosure put our patient data at risk.
So the question is, is our software designed to promote good security? Here are a few of the most important techniques and guidelines that we use when designing software that help promote good security practices:
Understand your user, and understand their workflow
Good software considers how a user is going to access data and how they are going to move within the system. Provide users with the quickest and most efficient path for them to get to the data they need. Also understand how users use their mobile devices in your environment. Create clear and concise use cases that define how the mobile application will accomplish specific goals. When software is not designed to the specific workflow of a user, that user will usually figure out a workaround which sometimes involves putting patient data at risk. By providing the user a better overall experience you aren’t only protecting the data in the system, but you are likely to increase their satisfaction with it.
Ensure that users only see the data they absolutely need
This will only happen when you understand your user and their processes. Just showing information because you have it is not a good practice and one that is common in healthcare software. Curate the data and survey users to understand exactly how they use your system. Provide justification for every field, and don’t be afraid to be conservative in what you provide. You can always provide the user a way to customize what they see so that it will help them in their specific job, but err on the side of less. Also, on mobile devices we have limited real estate to display that data, and so by removing unneeded data you are ensuring a great user experience targeted to the mobile use case.
Limit the need to export data
While this may depend on the software system, but in many EHRs we find it too easy to export data. This usually is a release valve of sorts to enable unimplemented functionality. Understand why users are exporting data out of your system and provide that functionality if it is prudent. Anytime a user exports data out of a system, it is more likely to end up in the wrong hands.
Use safe password practices, but explain them to the user
Passwords are hard, but we can make managing passwords easier for the user. Make the path to resetting their password easy and explain to them in clear concise terms what the password requirements are. If the user has to attempt a password reset multiple times because they don't understand the precise rules you have, they are more likely to use a common password they have used on other systems, or to change their passwords less often. Use real time updates in the UI to show how they are complying with the rules as they are entering a new password and provide clear feedback. Also, use 2-factor authentication and PINs appropriately on mobile devices. And if you are on iPhones or iPads, make use of features such as TouchID for biometric authentication. Not only will it make the software more secure, but your users will appreciate it.
Be careful on alerts and other notifications
Our mobile devices are wonderful at surfacing valuable information to us using system specific notifications and alerts, but not all of them are necessarily appropriate to use as vehicles for sharing PHI. Avoid using patient data in notifications that can show up on device 'unlock' screens or in other places on the device that can bee seen without entering appropriate authentication credentials (for example prior to entering a PIN or showing up outside of your software.) If you are using notifications, use them to provide calls-to-action that will enable a user to understand that they software may need their attention, or provides them cues as to something they may have already seen in your app.
Some of these guidelines may be obvious, but it is something has to be constantly evaluated and improved as not only our technologies evolve, but as new devices become available for us to use. When software is designed properly, not only are we making your applications more secure, but you are creating applications that will be a joy to use and may actually save lives.
What questions do you have?