The mobile-medical conundrum: Does convenience trump security?
How IT can protect personal medical data.
By Moti Rafalin, December 2012
Moti Rafalin is CEO of WatchDox. For more on WatchDox: WatchDox
Anyone who has visited a doctor recently can easily see the value of mobile devices in healthcare. From a tablet, a physician can quickly pull up a patient’s records, view test results, consult medical texts, scan for existing medications, check for allergies and digitally send a prescription to a pharmacy. All of that increases the efficiencies of the medical facility and improves the patient’s experience. But what does it do to data security?
IT leaders in healthcare facilities are grappling with this issue, which has become one of the most pressing challenges in the industry. There are best practices for managing this challenge while also protecting the benefits of mobile computing in medicine.
It makes sense that healthcare workers would embrace the benefits of mobile devices. In a field where up-to-date information can literally make the difference between life and death, having that data in hand helps medical professionals stay efficient and effective. Last year, the Ponemon Institute found that 81 percent of healthcare organizations store sensitive information on mobile devices, some of which belong to employees. A staggering 49 percent of respondents to that survey reported that their organizations don’t secure the data on those devices at all.
That’s striking, especially when one considers the potential for data loss: credit card information, medical records, Social Security numbers and other sensitive information. Healthcare organizations that fail to protect this data risk not only their reputations and their patients’ trust, but also civil and criminal penalties for breaching the Health Information Portability and Accountability Act (HIPAA). And data breaches in healthcare are on the rise. In 2011, The Ponemon Institute noted a 32 percent increase in data breaches in the field and said 96 percent of healthcare organizations indicated they had suffered from data loss in the previous two years. The price tag for such incidents: $6.5 billion annually.
Banning mobile devices is not the solution. Consider that analysts predict a billion tablets will be sold by the end of 2015. Eighty-five percent of hospital IT departments already have bring-your-own-device (BYOD) policies, according to Aruba Networks. The solution has to come in the form of better data protection.
IT professionals working in healthcare need to consider a number of potential data security threats. Mobile devices can be lost. PCs and laptops can be stolen. Employees can accidentally email sensitive documents to the wrong parties. Disgruntled staff can move documents to USB drives and remove them from facilities. All of these risks should be managed by the same solution.
Some organizations consider mobile device management (MDM) as a solution to the data leak problem, at least for their tablet and smartphone users. However, such solutions are mere Band-Aids that fail to cover potential data-loss wounds. Most MDM offerings can remotely wipe a device, but only if it belongs to the employer. That hardly answers the risks posed by the BYOD trend. Furthermore, MDM doesn’t encrypt documents to prevent their removal from approved machines.
Instead, IT leaders should seek out data protection solutions that:
- Allow for access, sharing and control of sensitive documents on any device, even those beyond the reach of IT;
- Put security controls on the documents themselves, so protection travels with data, regardless of where it goes; and
- Provide the ability to wipe selected documents should a company or personally owned device be lost.
Additionally, IT should teach staff to protect their mobile devices and computers with PIN codes and strong passwords that include random combinations of upper and lowercase letters, numbers and special characters and are at least eight characters long. Technology teams can also teach medical professionals how to detect social engineering and phishing scams, so they don’t mistakenly give their passwords to nefarious parties. Finally, IT should make sure antivirus software is up to date and systems are patched.
In 2011, a stolen computer led to the exposure of 4 million patient records at Sutter Health. That same year, Stanford Hospital realized a contractor’s error left the private medical data of nearly 20,000 patients open to the public. These events and far too many others are the stuff of IT leaders’ nightmares. For those working in the healthcare field, where the benefits of technological advances must balance out with patient rights, comprehensive data control and protection is essential. The rise of mobile devices complicates that pursuit, but by following best practices to protect information, healthcare organizations can ensure their data assets stay healthy and secure.