As more healthcare providers modernize their IT with cloud solutions and mobile devices, the opportunity for breaches increases dramatically. Hardly a week goes by without a major hospital or practice announcing a data breach. Breach reporting is costly, time-consuming and harmful to the reputation of otherwise legitimate practices. But is it really unsecured data, hackers or doctors sharing information that is causing breaches?
A quick analysis of the public data released by the Department of Health and Human Resources (HHS) reveals that from the first reported breaches in 2009 through early 2013, there were 572 breaches involving 500 or more patients (the threshold for reporting). Of these breaches, only about 10 percent came from hacking/IT incidents or improper disposal, while over half—51 percent—were a result of theft.
When you combine these details with the location of the breach, the picture becomes even more clear: 44 percent of the breaches are from laptops, 13.5 percent are from a computer, 13.1 percent are from portable devices and 10.5 percent are from network servers. That means a whopping 81 percent of breaches are from computing devices, and 57 percent are from mobile devices alone.
The security priority is apparent. Mobile devices cause the majority of PHI breaches and must be secured. While they aren’t foolproof and breaches can still occur, there are a variety of methods to control access to data on laptops, tablets, and smart phones on today’s market, as well as ways to wipe the device and track it.
Guest post by Garrett Taylor CEO of Uplift Comprehensive Services.
My organization, Uplift Comprehensive Services (residential services) is fully involved in “mhealth.” We use mobile high-definition video conferencing, which allows our doctors and clinicians to care for patients in geographically remote areas of North Carolina, and gives them full access to electronic health records and an easy way to collaborate each other. Along the way, we’ve improved patient service, enhanced productivity, and cut travel and office costs.
By combining video conferencing technology with a bring your own device (BYOD) mobile strategy, Uplift saves at least $500 for each scheduled physician visit. The thousands of dollars we save each year can be used instead to find grant opportunities for better patient care.
It’s not as hard as you might think to use video conferencing in a mhealth strategy. What follows is an explanation of Uplift’s mobile video conferencing approach.
Uplift Comprehensive Services has been in business for 12 years, covering 15 counties across North Carolina. We offer community-based assistance for children, adolescents and adults, with services substance abuse prevention to mental health treatment. Our treatment options include multi-systemic therapy, outpatient therapy, and medication management, among others. Continue Reading
Guest post by John Moynihan, healthcare segment manager, Global Industry Marketing, Siemens Enterprise Communications and Randy Roberts, vice president, mobility portfolio, Siemens Enterprise Communications.
Technology in business today can seem like a zero-sum game. When the employees win, they are able to do whatever it takes to be productive. But doing that tends to tie the hands of IT, keeping them from locking down devices and services well enough to make sure their information is secure. This situation is becoming more common in the medical industry, with clinicians and computing staff often at odds over convenience versus security. Doctors, traditionally reluctant to adopt new technology or take any risks with tried-and-true methods for caring for their patients, have taken to mobility as a duck to water.
Because access to patient information allows them to better do their jobs, doctors in particular are quickly adopting tablets and smartphones. And while they’re not ignorant of the security risks of these devices, particularly the potential for patient information to be lost or stolen, their focus is on caring for their patients. In fact, even if their business doesn’t provide or specifically allow for mobility, they are bringing their own devices into the office.
A recent Ovum study showed that almost 60 percent of employees bring some type of mobile device into the workplace. There are a few names for this, Bring Your Own Device (BYOD), Bring Your Own PC (BYOPC), Bring Your Own Phone (BYOP), User Introduces Unsecure Device onto My Network and Then Loses My Secure Data (UIUDOMNTLMSD).
Alright, so I made that last one up, but that is how most IT managers feel when the discussion is started about BYOD. An end user bringing a device to work is both a gift and a curse for any sized company. We see an increase in productivity but also the increased threat of data being lost or stolen. Having a strong mobile device management (MDM) strategy can help companies reap the benefits of BYOD while limiting the consequences.
Mobile device management is vitally important. Mobile devices are not going away and they continue to affect the professional setting, and managing the safety of mobile devices is important to organizations.
As a business leader with an enterprise to protect, one of the most important, and possibly easiest, steps to take is managing the safety of mobile devices. There is no way to avoid, or ignore, employee’s personal use of mobile devices in your “public” setting.
75 percent of mobile users believe it’s critical to their jobs to use a mobile device. Employees feel that using mobile devices makes their jobs easier, and they feel more productive. Employers also feel that allowing their employees to use the devices means their employees are always connected and always on.
85 percent of IT managers believe that the introduction of a mobile ecosystem has made the companies they manage more productive. With the exception of having to implement policies to monitor, protect and mange employee’s personal devices, mobile devices also help save companies money and create efficiencies.
Smartphones and laptops are the obvious front runner as the device most used in the workplace, but personal tablets are increasingly becoming more common in the professional setting.
According to CDW, 25 percent of mobile device users use tablets at work; 69 percent of tablet users use their own tablet at work.
The trend is expected to rise by 117 percent in the next two years. No surprise here. If you are surprised by this point then you might be wondering why this is so important.
Why? I’ll let Leiva-Gomez sum it up, as it does so aptly: “The CDW report concludes that 67 percent of IT managers aren’t even familiar with the concept of Mobile Device Management. Are you?”
MDM is much too important to ignore. Not taking an active role in its implementation or its management could put you and your practice’s health information in jeopardy. If swiped, stolen or ripped off, there’s also a pretty good chance you’ll face violations and fines for your HIPAA breeches.
If for no other reason, let this be a motivation for you. An ounce of prevention is worth a pound of cure, or so I’m told.
Regular readers of this blog will know that I spend a good deal of time focusing on managing mobile device data security in healthcare information technology, and the impacts of how breaches ultimately affect patients.
As such, I’m developing a strong interest in BYOD and the policies that need to be set in place to protect the information that all of us as consumers, myself included, hope remains safe.
So, I came across a piece recently by SecurEdge Networks that I think resonates, offering some of the best tips for managing mobile device data in the healthcare environment.
Though it’s a top 10 list, I’ll focus on what I think are some of the most important points. Feel free to let me know if you agree, or if you have other tips worthy of the list.
According to SecurEdge Networks, at number one of the list is basic security. It’s a must. Basic security typically comes down to simple use of strong passwords. In addition, staff members must be required to change their password after a certain amount of time, and a system must automatically lock after a certain period of inactivity.
Containerization of data, specifically on mobile devices, allows for the separation of personal and professional data. Setting up containers allows a personal device to be used in the workplace while protecting all of the company’s data in a secure container that can be wiped in the case of a lost or stolen device.
Next, limit which apps can be downloaded to a mobile device used in the workplace. There are tools available that completely block installation of outside apps on corporate and personal mobile devices, helping reduce the exposure to viruses or malware. According to SecurEdge Networks, “Having a corporate app store that has only pre-screened apps for the platform included is an effective tool for securing mobile devices that are used to access confidential information.”
Next up, one of the most basic steps one can take in a BYOD environment is to ensure that basic security software is installed. “Anti-virus and anti-malware programs should be installed and software firewalls should be put in place for each device,” cites SecurEdge Networks.
Finally, in what may be the most important tool available practices and hospitals engaging in a BYOD program is remote wiping. If a device is lost or stolen, having the capability to remotely wipe the device is essential. Some companies even go so far as remotely wiping any data on the corporate side of the device when it leaves a set geographical area. Since the data isn’t stored on the mobile device, this is an easier process. Personal data can also be wiped, which is attractive to employees who may have some initial resistance to having their devices accessed by their employer.
As noted by SecurEdge, employees who are allowed to use their personal devices in the workplace are often happier, more productive and always on. “Allowing employees to bring in their own devices can be an effective policy, boosting productivity and reducing operating costs.”
On this subject, there’s more to come; stay tuned.