Consider these five steps to prepare for bring-your-own-device security in the years ahead.
Over the past few years, there’s been a lot of talk about the explosive growth in the mobile and personal device industry. In fact, global mobile phone revenues are predicted to be worth $1.6 trillion, but even that sizeable sum pales in comparison to the growth of the U.S. healthcare industry, which is estimated at about $3 trillion. These two industries are growing together, popularizing the bring-your-own-device (BYOD) movement throughout hospital and healthcare organizations.
That’s why the Stage 2 compliance guidelines introduced by the Centers for Medicare and Medicaid Services (CMS) last year levied heavier restrictions on the electronic communications used by healthcare organizations. BYOD has been a growing cause of concern among IT professionals in the industry, and the standards were updated in order to better protect patient privacy. To make sure these rules are followed, the HHS Office for Civil Rights (OCR) is conducting more audits than ever, which has left patients and institutions asking, “What are healthcare organizations doing about employees who bring their own devices to work?”
Stage 2 guidelines come at a time when about 85 percent of hospitals are allowing employees to bring and use personal devices in facilities. This haphazard approach is causing a headache for IT teams, because they can no longer be certain that every piece of sensitive patient data is secure. Emails are getting sent from smartphones, and records are being stored on iPads – and this can have serious consequences without the right procedures and technologies in place.
Take, for example, the September 2012 case of Massachusetts Eye and Ear in which the OCR fined the institution $1.5 million when a laptop with patient data was stolen. That’s a sizeable sum for a single device, considering how many healthcare employees rely on smartphones and laptops to store and access that kind of information. Laptops are a little more expected in a hospital environment, but throw tablets and smartphones into the mix and you’ve suddenly multiplied the potential points for a breach.
So, how can hospitals make sure that this influx of devices doesn’t mean a big decrease in security?
Acknowledging and adjusting to a BYOD reality
Even if hospitals were bold enough to do it, banning devices outright isn’t an option at this point. About 70 percent of IT specialists and physicians already use mobile devices to access electronic health records, and, as more healthcare solutions go wireless and mobile, we can expect BYOD to become integral to health services. Gartner predicts that the annual market for wireless solutions in healthcare will reach $1.7 billion by 2014 and, by 2015, there will be about 500 million people using wireless health and wellness applications.
In light of this, it looks like healthcare will practically be running on personal devices instead of proprietary infrastructure in just a few short years. To prepare, the industry first has to acknowledge that this is a major change when it comes to HIPPA compliance. Meaningful-use Stage 2 guidelines were a step in that direction, but it doesn’t look like most organizations have followed suit. One survey conducted by nonprofit (ISC)² showed that many healthcare IT professionals feel they’re too understaffed to adequately face IT threats, with 59 percent saying that privacy violations are their biggest worry.
Their concern makes sense, since all it takes is a misplaced iPad to set alarm bells ringing. But that’s just all the more reason for IT teams to start getting a process in place that deals with these issues. Can sensitive data on mobile devices be wiped remotely? Is it automatically synced to another platform, so critical information doesn’t get lost? Consumers are asking these questions too. A recent study by PriceWaterhouseCoopers Health Research Institute showed that 39 percent of consumers are concerned that caregivers can bring their own devices to work and store sensitive data on them. This shows us that BYOD security isn’t just a matter of avoiding fines from the OCR and keeping patient data safe; it’s a matter of personal privacy too.
What healthcare needs to do
At first glance, it seems like the healthcare industry is stuck between rigid regulations and the unavoidable BYOD phenomenon, which enhances collaboration, connectivity and results. The changes may be happening fast, but that doesn’t mean that IT departments are powerless, especially if they consider these five steps to prepare for BYOD security in the years ahead:
- Implement mobile device management (MDM). The first step is to get healthcare employees to enroll their devices into a healthcare network, which will help reduce regulatory risks by centralizing device management. This way, all stakeholders can make sure devices are in compliance with regulations by checking even the most granular details of access and use.
- Secure data with mobile file management (MFM). Once the management of an organization’s devices has been centralized, there needs to be a careful evaluation of how data is accessed, stored and used. Any data traveling to and from devices needs to be heavily encrypted, and IT needs to be able to control whether files can be deleted, restored, modified or shared, no matter where the information is or how it’s being used.
- Check for security issues. OCR audits won’t be a surprise if IT departments regularly audit the network themselves, so they can make sure to close any potential threats and update security infrastructure.
- Make the solution user friendly. When you overhaul network security, there’s bound to be some confusion among employees when it comes to accessing the data they need. By holding training sessions and using a tool that’s intuitive and user friendly, healthcare organizations can prepare everyone for the changes and make sure the transition goes smoothly.
- Have a strategy for the worst-case scenario. When training employees in the proper and secure use of their devices on the network, IT should also create a step-by-step process of reporting any potential breaches. That way, teams can respond as quickly as possible to the threat of personal data being exposed.
With devices and Web applications quickly becoming a reality across all aspects of healthcare, it’s crucial for organizations to get a plan in place that keeps data secure, wherever it resides. Otherwise, they risk falling behind and losing patients’ good faith – and potentially incurring some big fines in the process.
About the author
Anders Lofgren is director, mobility solutions, Acronis. For more about Acronis and the company’s data management, data protection and disaster recovery solutions, visit www.acronis.com.