The Risks of Dictating from a Personal Cell Phone

It is no surprise that physicians have increased their reliance on technology to manage patient health information. The most significant concern of this increased digital activity is ensuring the protection of patients’ medical information. At 2ascribe, we are always on the lookout for any news regarding developments in digital security and transcription. This article focuses on digital security concerns that attorneys face, but provides important lessons for medical practitioners regarding dictation, security and confidentiality.

The first question is simple: how many doctors are using their personal cell phones when dictating sensitive medical information? The American Bar Association found that more than 73.6 percent of lawyers who use a smartphone for work purposes were using a personally owned smartphone, not firm owned phones. If this number is similar in the medical industry, there are severe risks over data security. In the United States, The Health Insurance Portability and Accountability Act (HIPAA) makes it clear that the act applies to any mobile device that receives, transmits, or stores protected health information (PHI). In Canada, while federal and provincial privacy legislation may not be as specific as HIPAA, the issue remains the same.  The use of mobile devices, especially personal devices for dictation, raises concerns about its loss or theft and unauthorized access to personal health information.

Organizations can control security and monitor it on work issued phones, but they do not have the same control over personal devices. This fact necessitates that organizations take risk management steps to maintain the privacy of patient information that is transmitted using mobile devices. The first policy should address whether or not personal mobile device usage is even allowed. If the use of personal phones is permitted, usage parameters should be defined, stating which party is responsible for security and what encryption process is required.  At 2ascribe, we provide the option of securely dictating via smartphones (Android and iPhones). This is a popular dictation option because it allows for physicians to work and dictate from any location.

The data security article recommends an organizational policy of migrating data to cloud-based storage to protect the security of your dictations. Cloud-stored data is safer than locally stored data on your devices. Cloud services utilize more complex security methods, giving your cloud-stored data an added level of protection. The Canadian Medical Protective Agency (CMPA) has addressed the use of cloud-based storage for medical practitioners. They posit that cloud computing “may be especially attractive to physicians in private practice who want to reduce their overhead expenses, lack technical expertise, and would benefit from the mobility offered by the cloud services.”  However, storage of data on a cloud-based system requires due diligence. Data sent to the cloud is outsourced to a cloud service provider, yet doctors remain accountable for the information they transfer to that cloud service provider.

The article provides specific areas of to target that will vastly improve data security and confidentiality. First, end-to-end encryption is essential. The process involves safety from the creation of the file to saving and uploading. The dictation recorder app should encrypt dictations in real-time. The file is encrypted again when they are sent to the cloud, and again when stored.

At 2ascribe we follow this flow of end-to-end encryption. The VoiceWare Web Server is our primary dictation server responsible for the entire dictation-transcription workflow and uses the secure https protocol behind an Extended Validation security certificate from a reputable authority.  The web server applications run on Microsoft-supported operating systems with all of the latest security patches applied as they are released. We use only parameterized SQL database queries to prevent SQL Injection hacks. We check for and disallow any scripting code returned in a form. We require strong-encryption passwords of all users and store them with one-way hashing.  Our physical and network operating environment and standard operating procedures meet or exceed minimum requirements for several information security standards including HIPAA, HITECH, USDoD, FBI and DEA in the U.S and PIPEDA and RCMP in Canada.

When dictating from an iOS or Android mobile device, we use an app called Dictate + Connect.  This app removes the need for a dictaphone and allows the user to record in an easier and more intuitive way.  No tapes, computers or cables. Just record and send your transcriptions to 2Ascribe. Dictate + Connect encrypts the files with AES (Advanced Encryption Standard, 128 bit key length) before sharing them and can be packaged in  Zip format, GPG format or Dictate + Connect GPG format. Just be sure that the “enforce secure connections” setting is active. 2Ascribe can then only decrypt the files if we know the passphrase. That way, Dictate + Connect offers the highest confidentiality when sending dictations with sensitive content over the Internet. We do strongly recommend that you use passphrases that are not easy to guess, at least 8 characters long and contain uppercase and lowercase characters as well as special characters. Too short or too simple passphrases are susceptible to “brute force” attacks that simply try a large number of simple passwords. Remember that encryption can always only be as secure as the strength of the passphrase.

Another feature that can increase the security of your mobile device, coupled with password protection and encryption, is the ability to remotely lock or wipe the device if it is stolen or lost. This feature allows users to quickly clear and disable a lost or stolen mobile device, which can prevent or reduce the magnitude breaches.  If you haven’t already done so, make sure this feature is turned enabled on your mobile device(s). And when you buy or upgrade to a new phone, you should ask the sales or technical person to make sure this feature is turned on before leaving the store.

By implementing these security features, you can experience the efficiency of working with you mobile device, while feeling confident that your safeguards will protect client information and the reputation of your practice.

 

2Ascribe Inc. is a medical transcription services agency located in Toronto, Ontario Canada, providing medical transcription services to physicians, clinics and other healthcare providers across Canada and the US.  Having recently introduced WEBscribe, a client interface portal for document management, 2Ascribe continues to implement and develop technology to assist and improve the transcription process for physicians and other healthcare providers.  As a service to our clients and the healthcare industry, 2Ascribe offers articles of interest to physicians and other healthcare professionals, medical transcriptionists and office staff, as well as of general interest. Additional articles may be found at https://www.2ascribe.com.

You might also enjoy