Between September 9th and October 6th, 2015, the consumer-level computer world was turned completely on its head. In early-September, Apple hosted its annual iPhone press release that announced the redesigned iPhone 6s and the iPad Pro. A little over one month later, Microsoft announced a bevy of new devices, including a redesigned Windows Surface Pro (they are now up to the Surface Pro 4) and the unanticipated but incredibly intriguing Surface Book. These two displayed an incredible amount of hardware and software engineering. However, neither Apple nor Microsoft mentioned the acronym HIPAA or the clinical applicability of these devices.
While many of us choose to purchase our own devices and repurpose them to the hospital, it is important to recognize that these consumer devices are not often optimized for professional settings. For example, devices like iPhones, iPads, and Microsoft Surfaces are not meant to be soaked in bleach and disinfected. In fact, using hospital-based standard antimicrobial disinfecting agents would likely nullify any warranties on the devices.
Beyond the threats of tracking germs from patient to patient, or patient to home, these devices are not ready to manage complex valuable patient data “out of the box.” Many of us have learned about best practices for data breach prevention, such as not texting patient information, not using personal devices to take pictures of patients, and not posting patient information on social media.
However, most of these devices are not set up with the requisite security software to ensure safe patient data management. It is unclear whether a standard mobile browser is acceptable for logging into a confidential hospital website. It has yet to be determined whether a simple seven digit alphanumeric or geometric password is acceptable for device security. It is unclear whether the cookies generated when looking at a protected website with patient information really are deleted when the device is backed up to the cloud. These topics are rarely discussed, but each one can cost any of us our jobs, a significant federal fine and/or a personal liability lawsuit.
With all of this said, it is completely possible that these newly released devices can and will be used in health care. However, the requisite rigorous testing has not been demonstrated, and viable repurposing has yet to be. The crux of the problem is the urge to be an early adopter in outdated technological systems. The reason that hospitals are slow to adopt new technologies is that it takes significant time to perform product validations and incredibly expensive to constantly buy new devices.
Because of the omnipresent undertone of outdated equipment, many hospitals and health systems are offering programs that can be installed on physician-owned and operated devices. At first, it seems that hospitals are embracing the idea of physicians using new technology. However, in actuality, hospitals are simply acknowledging that it is easier to allow physicians to use their own devices to keep them happy with new ones. But as more and more hospitals allow more and more devices, it is important to recognize that the responsibility for maintaining the security of the device lies with the owner. If the doctor owns the device, then the doctor is responsible for the device. So for example, a data breach from said device would be viewed as the doctor’s fault.
So what are we to do? In my opinion, utilize the KISS principle — keep it simply secure — and utilize two devices. Use your hospital-issued device for the hospital and your personal device for personal use. Protect the hospital device, keep it up to date with software updates and frequently bring it to the information technology department to make sure that it is secure. Keep your personal life private and don’t download any software that will give the hospital the ability to access your personal files while “securing” your device. It seems obvious and like a rookie error, but I cannot count the number of times that I catch the smartest physicians mixing work and private life on the same device.
Practicing medicine is hard. Knowing all of the rules and regulations is even harder. By keeping our electronic lives simple and separate, we give ourselves the best chance to limit our security exposure. And in the spirit of the newest consumer level devices, I love them all, and I can’t wait to play with them — at home, away from work. I will definitely keep them germ-free and away from patients!
Brian Levine is an obstetrician-gynecologist. This article originally appeared in the American Resident Project.
Image credit: Shutterstock.com