IT professionals must take the need for precaution seriously when it comes to protecting an organization from the loss or theft of employee smartphones and tablets.
What would you do if an employee at your hospital or health organization had their iPad containing patient information stolen? This was an unfortunate reality for one Dallas hospital. When an employee’s iPad was stolen from their car, private patient information was no longer private. The hospital had to alert patients of the incident and scramble to secure the missing device.
If you are an IT or telecom professional in healthcare, chances are the thought of mobile device security has kept you up a night or two. You understand how useful mobile devices can be in the healthcare industry, but you also know how these devices can expose your health organization to risk. As the proliferation of mobile devices such as smartphones and tablets has increased, so too has the potential for inadvertent security breaches.
HIPAA has established penalties for organizations and individuals that break its rules, ranging from fines to criminal charges. IT and telecom professionals must take the need for precaution seriously when it comes to protecting an organization from the loss or theft of employee smartphones and tablets. One missing device can cost more than just a tremendous amount of money; it can tarnish an institution’s reputation, a far more devastating result.
IT professionals in healthcare are facing the same challenges as their non-healthcare brethren, dealing with individuals who want to use their personal devices to access networked information. In the case of physicians and other clinical personnel, however, the information in question often includes private patient records. This makes it difficult for healthcare IT administrators to reconcile convenience and an improved patient care environment with potential security threats.
In a report by the Ponemon Institute in November 2010, it was estimated that data breaches of patient information cost healthcare organizations nearly $6 billion annually, and that many breaches go undetected. The research further indicated that:
- Fifty-eight percent of organizations have little or no confidence in their ability to appropriately secure patient records;
- Seventy-one percent of healthcare organizations have inadequate resources; and
- Sixty-nine percent of healthcare organizations have insufficient policies and procedures in place to prevent and quickly detect patient data loss.
The result is an average of 2.4 data breaches per institution over a two-year period, the majority of them through unintentional employee action, lost or stolen devices, and third-party error.
Clearly, healthcare IT administrators are in need of solutions that protect private information while providing convenient application access for mobile device users.
One of the best ways to prevent these mishaps from occurring is to establish mobile device-management policies for devices both owned by employees and devices that are provided to employees. Policy management is the critical path to scaling enterprise devices (allowing the latest technology to grow with the organization) and controlling expectations across hundreds or thousands of users. The lack of a robust mobile policy can mean trouble – from financial cost creep due to limited control of device types, rate plans and ownership, to risks involving usage, governance and confidentiality provisions. Aside from the standard benefits of mobile policy management (including greater control of spend, visibility into inventory and usage control), organizations with strong policy management gain greater data protection and security.
There are other capabilities and features that should be required of any solution employed in order to help improve the security of mobile devices. A number of these solutions include:
- Remote lock. Enforces an immediate device password lock on misplaced devices, rendering unauthorized access virtually impossible.
- Locate. The ability to see exactly where a device is located on a map even if a malicious user swaps SIM cards or goes on Wi-Fi. This function can lead to the recovery of a missing device.
- Remote wipe/erase. If a device is unrecoverable (meaning it hasn’t been left in a place where it can be retrieved), all sensitive data on the device can be wiped or erased instantly. This capability eliminates the risk of sensitive information being exposed.
- GeoFencing. Proactively prevent devices from posing a security threat by establishing preconfigured boundaries and alerts that signal anytime a device goes outside the “fence.”
As healthcare organizations continue to become more mobile, they must begin instituting better protections for both their mobile devices and the private patient information that is accessed through the technology. The alternatives (fines, criminal charges and damage to the corporation’s public image) could be your worst nightmare.
About the author
Custie Crampton is vice president, product management, Tangoe Inc. For more on Tangoe, go to www.tangoe.com.