Over the Horizon - Through the Looking Glass
Thomas E. Benzoni, DO, FACEP
Alternate Councillor
Background: I'm seeing more facilities using tech solutions, including wireless communication. What could be wrong with that?
Spoiler Alert: Different laws govern wired vs wireless communication for protection of privacy.
- Who is responsible for leaked data (HIPAA) when you use your personal device for your employer's work? (You are!)
- Who "owns" the rights to your phone and ALL its contents when you use it for your employer's benefit? (They do!)
- Are you feeling a bit paranoid? (Only the paranoid survives! If you're paranoid - that's good!)
I've been seeing a gradual crossing of a bright line between personal and work life. This crossing, like a slowly metastasizing cancer, can be difficult to see at first and is related to the now-familiar institutional cause of burnout.
Here's what a sample gradual line-crossing may look like:
First: Wouldn't it be great if you could use your own cell phone to dictate into the patient's personal health record? Seems so...until you think this through. You are broadcasting (Yes, that is the correct verb. You are sending out a radio signal that anyone can listen to without your knowledge. (They don't need your permission to do so. You give that permission by using the public airwaves). A patient's personal, often very private, information for all the world the hear. Do I get a Yuck?
Next: Wouldn't it be great if you paged the consultant yourself, using your own phone? So now your personal number displays on the consultant's phone... And you discuss personal information again. So, we're at Yuck Yuck!
Lately: Wouldn't it be great to put a picture of the patient's wound in their record? There's an app for that!! It will send the patient's picture right into their record...and may compromise your phone. When was the last time you’re really scrutinized the permissions apps access on your phone's stored information? And do you check after each update to see what new permissions you've (unknowingly) granted. Check now! And, I'm sure you've followed the news on smart speakers listening in. Did you know your phone's microphone can be turned on without your express ok? Click here to see the ambient comments. So, now we're at Yuck Yuck Yuck!
Next Up: DEA number. The Iowa Board of Pharmacy is requiring all narcs be prescribed electronically by 1/1/2020. (Click here to see the last article.) Some institutions are fining physicians if the physician doesn't install another app on their personal phone to enable this method. This app enables use of your personal property, your DEA number. (Yes, YOU own your DEA number, not some business entity. It as personal as your car or shoes.) This app supposedly does dual factor authentication, like when you log onto a bank website. (Bank, however, ask to which number you'd like a code sent, you enter that code on the website and off you go...without installing an app.). Goose!
It seems we never learn security lessons.
Concerns I have:
- Using your own phone to dictate into patient’s records is just another example of poorly designed EBRs (Electronic Billing Records. Correct, Billing. These are not approved for medical use; check it out.) Use a wired mic or the one built into your computer.
- Paging a consultant to a personal number while in an institutional environment just seems wrong. The number that displays for the call’s receiver should be the institution you’re representing, not yourself.
- Taking a picture of a patient with your personal call phone continues to blur the line of propriety, statements to the patient notwithstanding. There is no way they know whether or not you are actually taking a picture for Facebook (another topic.) We’ll get to Slippery Slope.
- The DEA number thing seems to be laziness. If my bank can send me a code (mine uses the Adobe service) then surely institutions can do the same. I’m certain Adobe is a willing seller. And if the EBRs don’t support this, maybe it’s time to recall just who is the customer.
Why be concerned?
Humans tend to normalize virtually everything. This is a great adaptive process until we find it off the rails. As institutions encourage us to use our personal devices in the workplace, it is only a matter of time that this behavior crosses a line. And I can only imagine what patients think…
The security/HIPAA implications should be enough to have the IT folks at the barricades. The ability of malware to compromise our digital devised is well known. See recent hacking concerns about IV pumps, pacers, etc.? The fact that you, the physician, are indemnifying your institution (Yes, you are agreeing to pay ALL costs including fines and attorney fees; read the EUA.) makes you a one-person insurance company.
Paranoia works - "they" are listening.
There are other ways:
One local institution checks out cell phones to employees on arrival at work. These are owned, operated and controlled by that entity. The devices work only on a closed network and are as secure as any wireless technology can be. And they don't contain your banking information, contacts, personal records, etc. All use is strictly for business.
As we delve ever deeper into a wireless world, I think it would behoove those of us entrusted with patient care to be very aware and wary of technology solutions that cross into our private lives. We should be doubly concerned when this line is crossed for the benefit of another party. And the final paranoia-nail comes when we realize we are compromising not just our patient's trust but our own data.
That's my opinion. What's yours?
Disclaimer: the above in no way reflects the views of the entire Iowa Chapter Board or its members.
|