We are Guardians of Patient Privacy
How to (not) use your private mobile phone for work (August 2024)
Ensuring the confidentiality and security of patient information is paramount to our commitment to quality healthcare. As valued members of the Mediclinic family, it is crucial that each employee upholds the highest standards in data privacy.
Risks related to the use of private mobile phones for work
- Data breach in case of loss or theft: Patient information on your private mobile phone can lead to a data breach if the phone is lost or stolen. A thief or finder will be able to access your phone if it is not protected or has weak safeguards.
- Data breach due to cloud sync: Patient data on your private mobile phone can also lead to a data breach if data is uploaded to the cloud. Most mobile phone users have sync options activated for backup or archiving purposes. This means that contacts, files, photos, videos and messages are uploaded to Apple, Google or other providers (e.g. app developers) which results in a data breach if patient data that is stored on the private mobile phone and subsequently uploaded on such clouds.
- Incomplete clinical documentation: Patient information stored on your private mobile phone is not part of Mediclinic’s record keeping which can lead to gaps in the clinical documentation.
- Unmanaged data: It is a fact that most users do not delete files, photos and videos as long as there is enough storage on the phone or in the cloud. Subsequently, patient information which is stored on the private mobile phone remains unmanaged, retention and deletion obligations are not complied with and the storing of patient data on a private mobile phone is not transparent for patients and Mediclinic.
- Regulatory violations: When a private mobile phone with patient data is lost or stolen, it can result in regulatory violations if proper safeguards are not in place to protect the data. This can result in heavy fines and serious legal consequences for Mediclinic and for the responsible employee.
- Financial and reputational impacts: Addressing the fallout from a lost or stolen mobile device can be costly. This includes potential fines and legal expenses. Furthermore, patients trust healthcare organizations to protect their sensitive information. A data breach resulting from a lost or stolen mobile phone can erode this trust, leading to reputational damage and a loss of confidence in the organization’s ability to safeguard patient data.
DOs and DON’Ts
- NO UPLOADING: Do not upload or store any patient information on your private mobile phone. This includes any health data and also administrative information about patients like name, date of birth, demographics, admission and discharge date etc.
- NO PICTURES AND VIDEOS: Do not take and store pictures or videos of patients or patient information with your private mobile phone. This includes patients’ faces, body parts (e.g. wounds), patient records, labels/stickers, radiology images, lab results, Emirates IDs, passports etc.
- USE MICROSOFT TEAMS: Do not send patient data via messaging apps (WhatsApp, Messenger etc.). Install and use the Microsoft Teams app to communicate for work purposes. Login to Teams with your Mediclinic login details.
- USE ONLY APPROVED APPS: Do not use any mobile app to capture, store and process patient data unless it is officially approved by Mediclinic, whether it’s a standard app of the device or a downloaded one. Discuss any needs for apps for work with your line manager or the Medical Director of your facility.
- LIMIT WHATSAPP: Use WhatsApp chat groups in a work context only for organisational matters like shift changes, team-internal announcements etc. but never for a discussion about patients. Don’t chat about patients on WhatsApp and don’t send documents or pictures with patient data.
- MIND COMPANY CONFIDENTIALITY: Keep in mind that also company-related information can be sensitive and confidential, not only patient information.
- APPLY SECURITY BEST PRACTICES:
- Set a password according to Mediclinic’s password policy or activate a biometric function (face ID, touch ID, fingerprint). Avoid using only a four digit-PIN code or a pattern to unlock the screen.
- Lock your screen if your mobile phone is not in use or unattended (e.g. when charging). Regularly review smart lock settings if activated.
- Activate the “find my device” function to find or remotely lock the phone and delete apps and data in case of loss or theft.
Reasons behind the DOs and DON’Ts
If you store patient data on your private mobile phone, the data is exposed to the risks mentioned above. Therefore, you should not use the private mobile phone to type or store or upload patient information, to take pictures or videos, to use the dictation app or to message patient information. Be aware that even if you delete the picture after a few minutes, it might have been sync’d already to the cloud and is stored on an external third party platform under terms and conditions which neither you nor Mediclinic controls.
Microsoft Teams and other approved apps can be used on your private mobile phone. If you do so, it is important that you apply the same safeguards like at your workplace and adhere to information security and ICT usage policies and guidelines. It is also recommended to sign out from such apps after use or after work unless you need to be permanently signed in for work related reasons. Being permanently logged in on certain apps, is another reason why it is of utmost importance to apply a strong login mechanism to open your phone or unlock the screen. Familiarize yourself with the MCME ICT Acceptable Usage Guidelines and Practice (see link below).
Strong security safeguards are also recommended for your own private purposes. If your mobile phone is lost or stolen, your personal apps, data, contacts, photos and videos are accessible. Most users are always logged in to their social media and email accounts or to commercial apps. It will be easy to abuse your identity when someone has access to your apps and personal information due to weak or inexistent security safeguards.
Remember, our dedication to patient well-being extends beyond medical care; it includes safeguarding their privacy. Let us all contribute to fostering an environment where patients can trust that their information is handled with the utmost care and respect.
Thank you for your commitment to upholding the values that make Mediclinic a trusted healthcare provider.
MCME ICT Acceptable Usage Guidelines and Practice
My device, my responsibility – Mediclinic DATA MATTERS campaign (published January 2021)