Aug 5
2016
3 Ways to Find the Sweet Spot Between Healthcare Mobility, Security and Compliance
Guest post by Ben Oster, product manager, AvePoint.
Balancing the strategic needs of a business with the user-friendliness of its systems is a daily struggle for IT pros in every industry. But for healthcare organizations, safeguarding the data living in these systems can be especially daunting. According to a study by the Ponemon Institute, healthcare is a minefield for various security hazards. Within the last two years, 89 percent of healthcare organizations experienced at least one data breach that resulted in the loss of patient data. As healthcare businesses and the patients they serve adopt a mobile-first approach, providers must strike a balance between innovation and risk to prevent patient data (and internal information) from falling into the wrong hands.
The use of mobile devices and apps certainly enhance patient-provider relationships, but these complex information systems present new concerns surrounding compliance, security, and privacy. As employees and patients increasingly adopt smartphones, tablets, and cloud-based software into their daily lives, healthcare leaders must prioritize users’ needs while mitigating security risks. Mastering this dynamic requires healthcare companies to balance mobility trends like BYOD and cloud computing with regulatory requirements like HIPAA.
To lower the risk of data breaches, healthcare organizations need to defend their systems by identifying, reporting on, and safeguarding sensitive data. Here are a few steps the healthcare industry can take to join the mobile revolution without compromising security:
Start with discovery – Traditionally, healthcare organizations have taken a “security through obscurity” approach to protecting data. In other words, relying on the ambiguity of the data in their systems to ward off malicious attacks and breaches. But as technology emerges that personalizes patients’ end-user experience – such as online patient portals and electronic medical records – the less obscure healthcare organizations’ data becomes. With patients and medical staff accessing this data through a range of devices and workflows, knowing precisely what content exists in a healthcare organization’s infrastructure is essential to security. That’s why discovery is the first step to safeguarding content. Healthcare IT teams should also roll out internal classification schemas to determine which user groups need access to this data. By categorizing content based on these factors, healthcare companies can lay the framework for a truly secure system.
Implement proper access controls – Once you’ve classified your data, it’s time to ensure that the right people have access to the right information. In many cases healthcare data breaches aren’t caused by weak spots in the network or specific applications, but in the process of managing proper access controls. For this reason, hospitals and other healthcare institutions should grant role-based access to data and applications on a need-to-know basis. There should also be standards in place for controlling physical workstation access and use of clinical applications. The federal government’s meaningful use standards also push for two-factor authentication methods for EHR and EMR systems. By incorporating this extra layer of security, organizations can better authenticate who has access to what data and on what device.
Create policies that enable mobility and protect data – Limiting access to sensitive data is essential, but an effective IT compliance and governance strategy is the real shield against breaches. Healthcare IT leaders must create and enforce policies around data governance. By regularly training employees on your security policies and creating a culture of compliance, organizations can inspire better employee security practices.
Auditing tools also allow compliance managers to report on access level and where patient records lives. When it comes to ensuring compliance, IT also needs to confirm that all devices on the network are HIPAA compliant. For the sake of mobility and security, BYOD programs need to be monitored closely in terms of how many devices are on-boarded, where devices are used, and what permissions are granted on each device.
Mobility will only continue to transform the healthcare industry. Now more than ever, it’s critical to deploy the right tools to reduce security risks and mitigate the repercussions if hit with a breach.
To protect your data, you need to understand its content first. The best data loss prevention solutions alone aren’t enough to defend healthcare organizations against harmful (and costly) data breaches. An integrated strategy that addresses security, privacy, and compliance challenges is needed to keep the network and patient data safe. Once data is assessed and properly classified, healthcare organizations can more confidently embrace mobile tools that enhance care and patient-provider communication.