AST Guideline - Use of Mobile Information Technology in the Operating Room

9 C. The Healthcare Information and Management Systems Society (HIMSS) Mobile Security Work Group published a report on security threats addressing the possibility of someone eventually developing malware to compromise patient data on mobile devices. 49 The following are recommendations for protecting the security of OR personnel smartphone use. 50 1) OR personnel should ensure that their smartphones include security controls that are routinely updated with the most recent antivirus software and malware protection. 8,16 2) Password protection should be used in order for an individual to unlock a mobile device and possibly prevent a security breach if a device is lost or stolen. The Internet security software business Symantec conducted an experiment in which employees intentionally “lost” 50 phones. The business observed the majority of individuals who found phones tried to access the device before returning. 16,51 3) Auto-location technology , such as GPS functionality, should be loaded onto mobile devices to assist the user and/or HDO locate a lost or stolen device. 16,35 4) PHI files and other sensitive HDO information stored on mobile devices should also be password protected to prevent access. 5) The device should be programmed to lock-up after a specific number of attempts by a user to log-on, e.g. incorrect password. 6) Automatic log-off should be loaded onto mobile devices activated by the device after a specific period of time of being idle. 8 7) HDO sets up a system where a security alert/warning message is sent to all healthcare personnel within the facility that a compromised or unauthorized device is being or has been used on the network. 16 This allows personnel to stop using their mobile device until the situation has been resolved. 8) HDO sets up a system where a user who accesses an unauthorized website receives a security alert/warning message. 16 2. HDOs should establish policies that reinforce the protection of patient privacy as well as strengthen patient care by prohibiting the inappropriate use of MIT and OR computers during perioperative care of the surgical patient. The policies need to ensure that any kind of personal interruptions by mobile devices is avoided when patient care is being provided. 16,50 A. The policies should address appropriate and inappropriate use of mobile devices when providing patient care, areas or zones within the HDO where non-clinical use of mobile devices is allowed, use of social media, and use of encrypted devices to securely access patient information and data. 15 The policy should also address in detail the consequences for violations including violation of patient confidentiality and privacy.