According to recent data from the CDW Data Loss Straw Poll, survey respondents estimate that the number of people accessing healthcare networks jumped by more than 50 percent during the last two years. Additionally, CDW’s poll found that the biggest drivers for this increase are the number of office locations (61 percent), mobile device deployment (59 percent) and EHR implementation (47 percent).
The sheer number of people accessing the network isn’t a direct cause for concern. More troubling are the report’s findings that 68 percent of organizations apply less-robust security standards to employee-owned devices, but still allow them network access. In a world where more and more people are bringing their own devices to work, consider the risk to the healthcare enterprise.
According to a March Ponemon Institute study, organizations that suffered a data loss in 2011 paid an average of $5.5 million per breach, or an average cost of $194 per lost record – a scary statistic for healthcare organizations with access to thousands, or even tens of thousands of patient health records. In fact, almost two-thirds of healthcare IT professionals (63 percent) in the CDW poll consider personally identifiable information, such as PHI, the most-likely target of a cyber attack on their organizations.
The news isn’t all bad, however. Seventy-one percent of healthcare respondents say that, overall, their organizations’ data security policy is effective. Yet they still have reasons to worry, as the CDW poll found that 36 percent of healthcare respondents say data loss is the number one cyber-security threat their organizations face over the next year.
It is nothing new that increasing mobility by adding devices to the network increases IT security risks. Yet, IT managers still have the responsibility of helping their healthcare organizations minimize the risk of costly data breaches while simultaneously reaping the cost and process efficiencies associated with mobile technologies.
But how do they do this? Internal IT managers are faced with internal pressures when, despite policies, they cannot enforce banning mobile devices without upsetting important stakeholders – thereby risking costly data breaches by allowing them on the network. Additionally, because many organizations resist enabling mobility options for employees because of security, they miss out on the cost and process efficiencies associated with mobile computing.
Through CDW Healthcare’s involvement with many network implementations at various healthcare settings, it offers simple recommendations to ease the transition to mobile devices, as well as how to manage the applications after implementation. Employing even the most basic of mobile device management (MDM) tools can help keep patient data away from those who should not be privy to the information.
CDW recommends that an organization should always start with a basic evaluation of its current security protections to determine how to best manage mobile devices. From there, develop a plan for how IT managers can communicate with physicians at their organizations. After that, healthcare organizations should:
- Protect mobile devices. Implement a layered security strategy that combines password protection, firewalls, partial- or whole-disc encryption and anti-virus/anti-spam software.
- Enforce a remote device security policy. Hold training sessions for all users with remote access to an organization’s network or mobile devices. Frequently remind them of security policies and practices to ensure awareness and enforcement.
- Protect sensitive data. Sensitive data has no place on a mobile device without multi-layered encryption. Ensure that data is protected on mobile devices, or is only stored on secure servers.
Introducing mobile devices and notebooks to a network can be challenging due to their complexity and perceived risks, but it shouldn’t be daunting. And until there is a complete security solution that can keep pace with the onslaught of mobile devices, the goal is to implement just enough security measures to minimize the most significant risks. As the CDW poll found that data loss (among cyber-security threats) presents the greatest business risk to organizations this year, you will not want to wait. Loss of patient data, email breaches and unauthorized access to protected health information (PHI) can be costly.
About the author
Jonathan Karl is a director with CDW Healthcare. For more on CDW Healthcare, click here.