Datcher Group was approached by a mid-sized health system comprised of hospitals, behavioral health centers, rehabilitation centers, and more, as they prepared to move to a new EHR system. The organization needed a solution to verify that it could secure sensitive data on mobile devices.
To begin our engagement, Datcher Group conducted an assessment of their current security structure, including their security policies, wireless network, user base, and devices. As with most healthcare organizations, they were not prepared to proactively secure and manage this sensitive data on mobile devices.
As a first step, Datcher Group worked to define several types of requirements by coordinating with several teams across the health system, including legal, HR, the CMIO, nursing, and IT.
At Datcher Group, we believe that cybersecurity is not just an IT problem - it?s a business risk. We have an inclusive approach that brings business and technology leaders together to identify key business processes and threats to business operations that impact their ability to deliver patient care.
From a network perspective, we worked to enhance their wifi to meet HIPAA compliance by adhering to the Code of Federal Regulations Title 45, Part 164, Subpart C. Compliance is required but cybersecurity threats and attacks evolve; we applied industry best practices to further secure sensitive data on mobile devices.
Broadly, this section of CFR requires that businesses ?ensure the confidentiality, integrity, and availability of all electronic protected health information... create[d], receive[d], maintain[ed], or transmit[ted],? both by the business and also its workforce.
From a hardware perspective, we developed requirements and standards around both company-owned devices and personal, ?bring your own devices? (BYOD). For company-owned devices, this involved regulating which applications could be on the mobile devices and restricting both the ability to take pictures outside of their new Epic EHR app and the ability to text PII data. For BYOD, we put systems into place to manage corporate data from personal devices, such as by integrating Data Loss Prevention (DLP) capabilities into the tools.
Once these requirements were put into place, we drafted and developed the required policies. These policies were for all users, including employees, contractors, vendors, etc., and compliance was required in order to use mobile devices for hospital-related work. The policies included acceptable use, mobile use, and bring your own device use.
Most of these bring your own device policies were around a device?s ability to support the compliance standards, as many older devices can no longer support the latest security capabilities. This policy also supported both iOS and Android devices, because even though most health systems require iOS devices, it is more important to focus on the identity and data security rather than the actual user device.
After the policies were established, our team worked to develop the necessary infrastructure to secure this data. For this to work, we started by leading the selection process to determine a new vendor for enterprise mobility management. After, we worked to improve the wireless network with the required capabilities.
With our strong knowledge of the healthcare regulatory environment and our experience securing sensitive data, we were able to design a secure enterprise mobility solution that was validated by 3rd party auditors. Our solution included new security policies approved at the board level required for enterprise adoption, new capabilities to secure sensitive data on corporate-owned & BYOD devices, workforce training and updates to wireless network.
Interested in seeing how Datcher Group can help your healthcare practice with cybersecurity? Contact our team to schedule a call.