Guest post by Darren Leroux, senior director of product marketing, WinMagic.
Gone are the days where all personal health information solely lived in giant filing cabinets behind a receptionist’s desk or in the administrative office of a hospital. Today, patient data resides everywhere – desktops, laptops, smartphones, tablets and USB drives. Understandably so – given the rise of mobile computing and bring-your-own-device (BYOD) policies in healthcare, the once straightforward process of protecting patient’s personal health information has since evolved into a complex and overwhelming undertaking.
Just the Facts
According to a recent study, 81 percent of healthcare organizations are now allowing employees and medical staff to use their personal laptops and mobile devices to connect to provider networks or access company email. Interestingly enough, the same study found that of that 81 percent of healthcare institutions enabling a BYOD strategy, 54 percent did not believe that those devices were secure enough in the workplace; 65 percent of data breaches reported to the Ponemon Institute occurred on laptops and mobile devices over the last five years — it’s no wonder that more than half of those surveyed aren’t confident in the security of their devices
When we refer to personal health information at risk, we’re not just talking about historical health records – the potential for a data breach casts a much wider net, including patient billing information, clinical trial data and even employee information like payroll numbers. With so much sensitive, unprotected data up for grabs, we’re inclined to ask ourselves – how? How is this significant rise in healthcare data breaches even possible, and how do we stop this from continuing?
Below are the top three gaping security holes in remote healthcare data practices that are answering our question of how is this rise in breaches in possible:
Inadequate Resources & Budgeting Allocations
According to a recent study from Cisco, 63 percent of healthcare institutions do not feel that they have the sufficient resources to defend against a security breach. The same study found that 66 percent of healthcare institutions also did not feel that their security financial budgets were sufficient with what capabilities are needed.
CIOs and CSOs don’t have the luxury of waiting until the time is just right to invest in data security technology. Given the sensitive nature of data at hand and all the regulatory and compliance requirements within their industry, health leaders must incorporate better practices when it comes to protecting personal health information.
Internal Employee Negligence
Basic human error, like negligence, continues to top the list for causes in data breaches. Examples of employee negligence can range from misplacing a USB with stored private patient health information to accidentally leaving a laptop in a public place. The only fail safe way to ensure that private health information is not compromised if a device has been lost or stolen is through encryption.
Violations of Government Regulations
According to a recent report, HIPAA data breaches have increased by 138 percent since 2009. It’s easy to get caught up in the hype around compliance and regulation, but ultimately you can end up missing the bigger picture of what is trying to be accomplished. It shouldn’t just be about being in line with regulations, healthcare CIOs and CSOs need to ensure that they are still performing a comprehensive, thorough analysis of their security infrastructure and where the potential holes in their organizations security plan still exist. Furthermore, compliance is technically a one-time snapshot or status of where things stand – or should stand. Given the fluidity of IT and the continually emerging threats and vulnerabilities, simply focusing on compliance alone is short-sighted and can end up creating a false sense of security that your mobile systems and information are truly secure.
As we mentioned earlier, patient data is everywhere – mobile devices, laptops, desktops and even medical devices like wireless heart pumps and mammogram imaging tools. Health data has evolved into a matrix of interrelated data, flowing from patients/customers to physicians, diagnostic clinicians, pharmacists and medical insurance billing specialists, among others. The industry as a whole must look beyond simple data security/compliance and toward a holistic security program that fosters a long-term data security strategy. The most effective and comprehensive strategies are centered on protecting actual data and not just the device – however, it’s equally important to allow for ease-of-use and accessibility.
As we look ahead, managing information risk is more than just addressing the check box items. Healthcare CIOs and CSOs need to first understand what kind mobile and remote solutions they have at hand, how these devices are putting private health information at risk and what can be done to remain secure.
We recommend that data is encrypted on both at-rest and mobile devices. Encryption needs to be translucent enough for IT admins working behind-the-scenes to be able to integrate the capability across platforms seamlessly, and offer no disruption to the end-user experience. It’s important to remember that as important as data security is in the healthcare industry, accessibility and providing the ultimate patient care is top of mind for providers.