Like it or not, BYOD (bring your own device) is a topic that’s not going away. Some consider it a fad, a conversation piece and a topic passé. But, the same was said of the personal computer, the Internet and now, mobile devices in the workplace.
I’ve spent a lot of time recently focused on the work of Gartner, and today is no different. The analyst firm produces some great content and provide some great thought leadership advice and BYOD is no different. Healthcare leaders would do themselves a favor to take note of the following tips from the firm (specifically, Stephen Kleynhans, in this case).
Organizations today must address their BYOD challenges. They are everywhere, in every organization. Users continually and ever more so utilize their own devices, and the trend continues to grow. Doing so, so the argument goes, is that employees’ own devices boost productivity. It’s an argument that’s been said over and over thousands of times.
According to Gartner, users and organizations need to understand BYOD issues and challenges including “security risks from data leakage; financial risks from device cost or support/network contracts; and, compromised compliance/certifications from using sensitive services (location services, GPS etc.). Here is what Gartner feels are the key issues in BYOD adoption in this context.”
Simply put, as we’ve previously discussed here, BYOD is said to help employees perform their roles more efficiently, which is particularly the case for home health professionals and those on call. Additionally, BYOD is supposed to limit tech budgets for organizations, and in large health enterprises this makes a great deal of sense. Essentially, the burden for technology and upgrading it lies on the employee. When they want a new device, they purchase and upgrade it. Obviously, this takes a great deal of pressure off of an organization that might otherwise be forced to upgrade and purchase the technology on an ongoing basis.
“Well framed, comprehensive BYOD policies addressing these issues and challenges can help shift cost to the users and reduce support burden on IT for non-strategic devices,” said Gartner’s Kleynhans.
Additionally, he states that BYOD in in its current form is “largely a ‘don’t ask/don’t tell affair’” where users do what they can, because they can, and devices belonging to senior executives have probably already been made in your organization.
“Prior to instituting formal BYOD, issues related to regulatory, security and compliance need to be reviewed, and an employee’s personal liability and the company’s obligation to its investors or customers may not always be linked. Consider that the loss of user-owned devices carrying sensitive data might lead to serious trust deficits that might be difficult to recover from. If you lack adequate MDM and data protection controls, instituting a BYOD program might backfire,” states Gartner.
Mobile access to company resources should only be granted incrementally based on the users role and needs within the organization, and assigning differing levels of authentication to programs, device fingerprints, location and so on.
“BYOD issues around administering diverse environments will require segmented, policy-controlled architectures, where application delivery focuses on isolating company data rather than targeting complete device control,” said Kleynhans about a concept also known as containerization.
Wherever control of a device or data is not possible, encrypt. “Approaches such as Web apps, virtualized apps and hosted virtual desktops may be used on the server side, complemented on the client side by secure access clients, sandboxes, thin clients and trusted computing devices/dongles.”
Launching BYOD is challenging, and requires a thorough due diligence. Gartner sums it up beautifully: “Extend existing policies wherever possible and ensure that the full range of interested parties such as IT, business, HR and legal are involved to cover all contingencies and legal requirements. Further, your policies need to define clearly what can and cannot be done with employee-owned devices; the level of enterprise network access; privacy restrictions; exceptions; penalties; and, most importantly, liabilities.”
EHR review sites seem to have taken hold. Press releases and announcements galore, they proliferate the web like nearly other consumer review-based site. In the latest round, one of the newest sites, EMR-Matrix, essentially announced its existence and that its staff and leadership would be present at one of healthcare’s largest tradeshows – HIMSS.
What better a place to try to sell its product where the very companies that it will likely hold hostage through its so-called independent review will be present.
According to the company’s release, “The new website offers a way for doctors and health systems to evaluate, test and read reviews of electronic medical record software systems, as well as provide feedback on their own experiences with their existing EMR and practice management systems. Unlike other sites, EMR-Matrix is user content driven and strives to provide the most candid feedback possible about each EMR system.”
I absolutely believe that the (free) market needs dedicated resources that help consumers find the best products at the best prices while exposing a company’s weaknesses and touting its greatest successes, but I’m not in favor of sites bent on trying to manipulate the system.
I may be in the minority, but I don’t believe in review sites, and I don’t use them. Too often, the reviews are skewed toward the negative, the sounds of the blathering loudmouth without a better venue to employ turns to the web and spouts off. They do almost nothing to keep me from experiencing something I want to experience. Certainly, I don’t believe an un-vetted review site about electronic health records is going to do much to sway my opinion one way or another about the quality of a product being professionally produced by a software vendor, but it may sway the opinions of others.
Essentially, the site is taking the business model that Software Advice utilizes and is trying to position itself as another unbiased source of information that also uses aggregated customer reviews to provide the “true” sentiment of a system and its capabilities.
If nothing else, this is just another form of KLAS, which I’ve always been suspect of. Based on my experiences in house at an EHR vendor, I’ve seen the data used to compile the reports and with the conclusions these types of reports drawn, there is a great deal left to the imagination. Companies – Allscripts is an example – that choose not to subscribe to the KLAS and, therefore, forgo receiving the KLAS reports should earn everyone’s respect. They don’t bow to the peer pressure of inclusion and they understand that for the most part, the reports or worth far less than the paper they’re printed on (even though vendors pay upwards of $60,000 to see them). Nevertheless, the data in the reports are suspect and thin, and given the strangle hold KLAS has on vendors, to not subscribe is virtual suicide for the vendor (Allscripts is big enough not to have been too deeply affected, though its products are never anywhere near the top of the rankings in the KLAS reports).
That said, EMR-Matrix and others that come along might do more damage than good. If nothing else, in my opinion, at face value, they seem to be out to capitalize on the market. Let’s hope the consumers of health IT and EHRs see through this thinly veiled attempt, but there’s still some skepticism on my part that this will be the case. My blogger colleagues have agreed with me so I hope those in the market for a new EHR will actually do a little shopping around and testing rather than simply relying on a site such as this.
Unfortunately, some of the collateral damage of a site like this is like that of a “bad” restaurant — once the review hits the web, it pretty much lives there forever. For people like me in PR, and those around me who are actually dedicating their lives to developing what we believe are good, solid, high-quality products to better healthcare, physician’s practices and patients’ lives, we lose because of sites like this. We’re the ones who lose sleep. We’re the ones that lose our jobs. We’re the ones who lose – because of a site that’s pairing the information provided with those seeking it, as relevant.
Having spent most of my career on one side of a note pad while looking at a source on the other, I’ve often wondered if others have felt the way I have about trying to connect with the story tellers I’ve come to rely upon for my professional endeavors.
As professional reporter and freelancer, I’ve spent much of my life trying to connect with and extrapolate information from those who have it to give and turn that information into compelling stories for the world to read. And, in many cases, even as a public relations professional who worked for an EHR vendor to tell stories to the media about our technology and how physicians used it to improve practice efficiencies and establish their electronic health records, I asked myself the same question: Am I connecting with those I’m speaking with while I work to paint their pictures with my words.
Even now, as a blogger and freelance PR professional I continue to ponder the same question. And, I’ve wondered, if I feel this way when I’m writing a story and the only thing coming between me and my source is a pad of paper, how must it be then for physicians that are now using computers to take notes and build cases histories for their patients during their exams?
One day this argument will be settled as a new generation of docs enters the workplace and take over practices left by their predecessors as they will never know an exam room without some sort of technology – computer or mobile device – but one can’t but help feel (at least now in the infancy of the true EHR days) that there has been a change in the way your physician practices now that he or she has a computer next to your exam table in the exam room.
I’ve noticed that the doctor seems to be some great distance away from me as if I’m having a conversation with someone 1,000 miles away. It’s the same thing as when you are in a conversation with someone while you are toying around your iPhone or Blackberry. You’re there physically, but in mind you are a long way away.
The same can be said for drivers who chose to talk on their phones. Clearly, the individual is behind the wheel letting their body’s muscle memory carry them through the task of shifting, steering and turning, but their cognitive thoughts are in the place of purgatory somewhere between the road in which they are driving and the person on the other end of the line.
With this in mind, just how much is being conveyed and captured by the physician who’s tapping away at their keyboard while their trying to guide you through the eight-minute office visit?
Speaking from the perspective of a professional journalist who has made a career of trying to capture the facts, figures and stories of those sitting next to me while I’m typing or writing away, I can safely say that much is being lost. This is especially true since shorthand and transcription is a skill not being taught at our top medical schools and residency programs throughout the United States. Heck, we can’t even get our young med students trained on using electronic health records prior to graduating into real life so why should we expect our doctors to have the skills of a professional journalist or court reporter.
So, if I still have problems at times with connecting to sources even with nearly 15 years of experience, I can guarantee you that physicians, who don’t make a living at capturing the heart of a story or even its most important elements, that not all of a patient’s most important information will end up in their health record.
As 2013 gets underway, we are in the midst of a health information revolution. As many healthcare providers continue to struggle to implement electronic health record systems and meet meaningful use requirements, the promises of this revolution may seem distant, even non-existent. Indeed, many providers rightly complain that implementing EHR systems has only brought increased expense and declining productivity as they adjust to the new systems. The promises of interoperability, better outcomes, reduced medical errors and lower costs in many cases have not yet been realized.
For others, the promised benefits of electronic health information may be closer at hand. For example, The Wall Street Journal recently reported that two big names in healthcare – UnitedHealth Group, Inc. and Mayo Clinic – will form a new research company to mine de-identified health data from millions of health claims and medical records to identify best practices. This seemingly reflects a realization of one of the touted benefits of electronic health information – to change the way healthcare is provided and to reduce costs by analyzing health outcomes information.
Notwithstanding the electronic growing pains within certain quarters of the provider community, digital health is flourishing and driving the health information revolution. While the provider and payor communities were formerly the sole source of health information, consumer demand for digital health and control over health information is moving the center of the health information universe more toward individuals (the new paradigm) and away from providers and payors (the old paradigm). Both patients and providers report increased use of the Internet to diagnose medical conditions. Digital health services provided via the Internet, smart phones, cable, Bluetooth-enabled devices and other wireless technologies are putting health information at consumers’ fingertips and unlocking it from the confines of providers and payors.
Consumers want their devices to do more, and make health information and services available to them as easily as they may use their phones to search for a restaurant. Smart phone chip manufacturer Qualcomm has established a $10 million prize to develop a mobile medical computing device, inspired by the tricorder device from “Star Trek.” Smart phones and many medical devices now include multiple sensors that can be employed for a variety of health-related purposes and health-related sensors are increasingly being incorporated into clothing and home monitoring equipment. These activities are generating massive amounts of digital health information, facilitated by declining costs of data storage available through the cloud and other low-cost digital storage media.
While providers may no longer be relied upon as the sole source of medical information, they will continue to be relied upon for their medical judgment. Because of the exponentially increasing availability of health information, including genomics information, which is relevant to clinical decision-making, providers will have a significantly higher burden to digest and analyze this available information and manipulate it in the clinical setting. Look for increased use of and demand for data analytics tools in the clinical setting.
In the meantime, our regulatory regime for data privacy and security, including HIPAA and HITECH, is based on the old paradigm and severely inhibits the health information revolution. Ironically, HIPAA, which was intended to address privacy and security in a digital age, stands as a major impediment to digital health. It does so, in part, because it assumes that health information rightly resides with providers and payors (HIPAA-covered entities), rather than with their business associates (including many digital health companies) or consumers. Indeed, with limited exceptions, HIPAA requires that any business associate of a HIPAA-covered entity either return to the covered entity or destroy patient information where feasible when the relationship between the business associate and the covered entity ends.
That requirement effectively constrains information from easily following the consumer, a major objective and promise of the health information revolution. For example, HIPAA makes it difficult for a wellness company to continue to serve an individual if that individual changes health plans or the wellness company stops doing business with the individual’s health plan. In 2013, look for increased pressure to reform HIPAA to allow information to be more readily accessed by consumers and digital health companies. The more than 500 pages of new HIPAA Omnibus regulations that were issued on January 17, 2013, do not change this underlying assumption or effectively address the new paradigm of a patient-centered health information universe.
At the same time, increased use of mobile media by healthcare providers continues to challenge those who are responsible for protecting that health information. Theft or loss of mobile media, including smart phones, laptops, tablets and flash drives, continue to be among the largest source of data breaches, prompting the federal government recently to issue specific guidance on how to use such devices in compliance with HIPAA. (See,
This guidance recommends limiting offsite use of mobile media that may contain health information. While this position is understandable, it reflects the old paradigm view that information remains within the control of the providers and payors and ideally not leave the controlled environment of their facilities. Healthcare facilities and other companies that use mobile media containing patient information will continue to face challenges with implementing use of such devices, given the current regulatory regime.
Drew Gantt leads Cooley LLP’s Health Care and Life Sciences Regulatory Practice. Gantt is a partner in Cooley LLP’s Business Department and a member of Cooley’s Life Sciences Practice Group. His practice focuses on healthcare and life sciences regulatory counseling, complex transactions and strategic business advice.
I’m not unique in that during this time of year I love to take a look at predictions made by some of the industry’s “best” and see if their predictions make sense, are surprising in a good way or if they are surprising in a stupid way.
With that in mind, I came across an interesting piece in Canadian Manufacturing of all places that features several intriguing predictions by analyst firm Gartner that I think are worth a look here as they have peripheral relation to healthcare.
So, here we go. Gartner’s top IT predictions include:
By 2015, big data demand will reach 4.4 million jobs globally, but only one-third of those jobs will be filled. According to the report: “The demand for big data is growing, and enterprises will need to reassess their competencies and skills to respond to this opportunity. Jobs that are filled will result in real financial and competitive benefits for organizations. Note that enterprises need people with new skills—data management, analytics and business expertise and nontraditional skills necessary for extracting the value of big data, as well as artists and designers for data visualization.”
In a market like healthcare, where highly skilled jobs are often difficult to fill, we should understand this prediction to be very true and one not to take too lightly. Some of these job vacancies will be at health system that needs the data to meet federal reporting requirements. The individuals with these skills will have a great deal of clout as they eventually move into the job market.
Employee-owned devices will be compromised by malware at more than double the rate of corporate-owned devices. “Corporate networks will become more like college and university networks, which were the original “bring your own device” (BYOD) environments. Because colleges and universities lack control over students’ devices, they focus on protecting their networks by enforcing policies that govern network access. Gartner believes that enterprises will adopt a similar approach and will block or restrict access for those devices that are not compliant with corporate policies. Enterprises that adopt BYOD initiatives should establish clear policies that outline which employee-owned devices will be allowed and which will be banned.”
BYOD continues to rear its head so don’t be caught unawares. AS Gartner predicts, you must have a plan for mobile device management and personal device use in the workplace. Ignorance is not bliss, in this case, and since employees are currently using their own devices in the healthcare setting where very important personal information can be exposed, develop a policy, stick with it and let your employees know you have one in place. Circulate it!
By 2016, wearable smart electronics in shoes, tattoos and accessories will emerge as a $10-billion industry. “The majority of revenue from wearable smart electronics over the next four years will come from athletic shoes and fitness tracking, communications devices for the ear, and automatic insulin delivery for diabetics. CIOs must evaluate how the data from wearable electronics can be used to improve worker productivity, asset tracking and workflow.”
Healthcare will play a role in how wearable electronics and traceable devices are used to track the health of individuals, especially in outpatient and in-home care. The data from these devices will flow directly into your EHR and become part of the patient record. Physicians will be forced to learn the benefits of these devices and patients are going to need to accept it.
By 2014, market consolidation will displace up to 20 percent of the top 100 IT services providers. “The convergence of cloud, big data, mobility and social media, along with continued global economic uncertainty, will accelerate the restructuring of the $1 trillion IT services market. By 2015, low-cost cloud services will cannibalize up to 15 percent of top outsourcing players’ revenue, and more than 20 percent of large IT outsourcers not investing enough in industrialization and value-added services will disappear through merger and acquisition. CIOs should re-evaluate the providers and types of providers used for IT services, with particular interest in cloud-enabled providers supporting information, mobile and social strategies.”
The prediction smacks of the ongoing discussion about the EHR vendor market and how much longer it can contain the number of players. Certainly, we’re seeing deterioration of this segment now, though it has been expected to erode more quickly than it has. Expect there to be fewer EHR vendors in the next 12 months, and realize that no vendor is too big to fail (see Allscripts). Prepare early and do your due diligence before signing the dotted line.
I’d love to know your thoughts. Do you agree with these predictions and my assessments? What are yours?
In a great new white paper, “Essential Enterprise Mobile Security Controls,” sponsored by Blackberry and posted by Tech Target, mobile device security is the feature show. As it continues to be the main event for mobile technology, mobile devices will continue to be used to carry high-value personal and company information, as expected.
When personal devices are disconnected from company networks, security risks were relatively low, according to the report, but as the technology permeates and its use becomes even more closely connected to the work environment, the risks to security increase significantly.
Apparently things have been pretty slow until now, but that’s not likely to last. The turning point is here and hackers are on the move, including on iPhones, as well as the Android market place. Given these continual threats, and the importance of the data healthcare organizations protect, the need for improved mobile security controls an imperative for any organization looking to leverage mobility for competitive advantage.
According to the report, “A key challenge for improving mobile security is to understand what tools are available and how they can be leveraged.”
The following is a list of must-have mobile device security controls to protect workers and organizations, again according to Blackberry:
Device security. Remote lock, wipe and backup/recovery can help reduce the risk associated with lost or stolen devices. According to SearchSecurity.com, lost and stolen devices rank among organizations’ top mobile security concerns, and for good reason: “The easiest way to lose data via a mobile device is to lose the device itself. Every enterprise sanctions (or doesn’t prohibit) BYOD must ensure that any supported device can be locked and erased remotely, and that valuable data is backed up to a location under the organization’s control.”
Network security. The increased number of smartphones and other devices that are carried into the enterprise by end users increases the threat to corporate networks.” Attackers have started seeking ways to use unsecured mobile devices as a means to leapfrog into otherwise protected areas of the network, including databases.
Malware defense. The oncoming wave of mobile malware requires protection, like antivirus, personal firewalls, Web filtering and anti-spam. “It’s becoming necessary to invest in mobile add-ons from traditional antimalware vendors, or consider a mobile device management (MDM) product that can, among other things, facilitate the extension of anti-malware to a variety of mobile devices.”
Threat intelligence. Large enterprises should invest in threat monitoring tools and research teams, and train them on how to not only identify mobile threats, but enable rapid response. These functions can be closely tied to existing log analysis and security information and event management (SIEM) processes. “The most important tactic here is to develop a baseline of “normal” mobile device activity and use analytics and real-time monitoring to spot deviations that may be a sign of an attack.”
Centralized management. Central management tools provide a “single pane of glass” to set and enforce policies and perform many other security-related functions across all mobile devices. This is becoming an increasingly important capability in organizations where multi-platform support is essential.
Data encryption. Files, contacts and email need to be encrypted on mobile devices in the event of loss or theft. Each platform comes with different encryption challenges, some requiring additional encryption application for the data that lives on the device. While the market for mobile encryption for data in motion is immature, new options are emerging all the time.
Over-the-air capabilities. Mobile security requires over-the-air provisioning and configuration to ensure that workers always have the latest security capabilities without burdening IT, forcing them to physically touch each device. As demand grows for an increasingly diverse landscape of mobile devices, this feature is crucial for enterprises that need to scale their mobile security provisioning efforts.
According to the report, and this is a nice summation of the report (and I quote): “Mobile security is still in its infancy, but the trends around connectivity, device evolution and worker mobility means organizations must start planning their mobile security strategy now, and that process begins with assessing what mobile security controls are needed and developing a plan to put those controls into action.”
There’s a special place in my heart for electronic health records. Having worked with one of the largest vendors (at the time; the company has since shed about 20,000 of its physician users) I understand their capabilities and how they can benefit a practice beyond just how they are marketed. EHRs are one of the reasons I started this blog, in fact. If I could spend more time on them and keep people interested in this site, I would, but not everyone feels that way I do about them so I’m forced to broaden my horizons and cover a variety of other topics.
Alas, I also feel we’re entering their final days glory days. I believe 2013 will be the year of transition in which we as a market decide that EHRs are foundational and that other, new technologies are emerging that will either make EHRs better or render them essentially useless. Until then, though, I’ll allow myself to continue to focus on them from time to time and hopefully you’ll find the information relevant, which brings me to today.
Found an interesting piece in Executive Insight magazine by Meditab’s VP of Marketing, Kirk Treasure. Though Treasure makes the claim (like most EHR vendors continue to do) that EHRs are increasingly important to the continued streamlining and delivery of patient services, but he says, because of a recent KLAS report, that practices and health systems are becoming dissatisfied with their EHR vendors and their systems.
This really comes as no surprise and has been expected. Some of this has to do with vendors trying to get by on the status quo while some of this has to do with crippling meaningful use regulation. Some of it has to do with promises not kept or promising too much (which is usually the case), but again, there’s nothing surprising here. It’s where we are in the market.
According to Treasure, there are two reasons for this wave of provider dissatisfaction.
One: “Many physicians are basing their decision primarily on cost factors, not realizing that cheaper is not necessarily better.”
Two: “Many practices are not 100 percent comfortable with their own internal processes, and as a result, purchase an EHR system that does not satisfy their needs.”
Treasure warns those in the market for an EHR to take their time to evaluate their needs and future goals of the practice then look at what they can realistically afford to invest in a system. “It’s important to weigh out whether or not a perceived expensive initial cost will save you money in the long-run,” he said.
“Next, analyze your workflow to see which processes you would like to maintain and what areas you would like to improve,” he added. “This will help in cultivating efficiency and organization throughout the practice, while ensuring that your EHR system supports your goals.”
Treasure continues his golden advice. Vendors need to look for systems that meet the specific requirements of their practice and to understand that there is no “one-size-fits-all solution,” even within the same medical specialty. Once a list of vendors has been narrowed down, check references (this is an absolute must) and try to speak with several clients that have been using the system for at least a year. According to Treasure, “They can tell you about any obstacles encountered during the implementation, their support experience and the benefits from making the switch.”
Here are some other suggestions to purchase the right EHR system for your practice and avoid a costly mistake, from Treasure:
• Understand the total cost of ownership of each vendor’s pricing structure. For example, some cloud-based vendors provide EHR services on a subscription basis. Paying $400-$600 a month for a five-year contract period would result in a $30,000 commitment plus the initial investment for implementation and training. Alternatively, the total cost of ownership for a server-based office system with a $10,000 upfront cost and a $200 monthly maintenance would only be $22,000.
• Look for hidden costs in the contract, such as additional fees for in-person training, document management services, EDI setup, or annual maintenance fees in addition to the monthly support costs. Also, watch for provisions that allow the vendor to increase fees during the course of the contract.
• Ask the vendor if the system will accommodate any potential changes in your practice model. This could include, for example, joining an accountable care organization (ACO), adding telemedicine services or expanding upon the practice concentration in the future (i.e. bariatric, weight management, etc.).
• Consider the EHR system from the point of view of the patient, as well as the physician and office staff. For example, is the EHR system easy to use in the examination room? Does it provide reports on waiting times or other service delivery issues?
• Be sure that you “own” the data under the terms of the contract. Some vendors charge a fee for exporting the data to a new system before the contract expiration date.
• See if there are provisions that would allow you to get out of a contract after six months or a year. This is essential if the system ends up not working for you.
• Finally, be sure you are comfortable with the vendor. In many cases, a smaller or mid-size company can provide a higher level of personal service. That’s an important consideration in helping physicians and office staff take advantage of the many potential benefits of deploying an EHR system customized to the needs of the practice.
Guest post by: Jared Rhoads, Senior Research Specialist in CSC Healthcare.
There is no gentle way to put it—cyber criminals from around the world are out to steal your personal health and financial information. And, if recent studies are an accurate reflection of the state of security in the healthcare industry then criminals have ample opportunity to do harm.
The past five years has seen rapid growth in the digitization of healthcare records and the online sharing and transmission of personal and financial data. Healthcare organizations have taken many of their information capabilities online, and they have embraced new technologies like portable media and mobile computing. However, they have not always been able to keep up with leading edge security practices.
Experts warn that the healthcare industry lags in addressing known problems and implementing basic remedies. Many hospitals and practices, for example, have been slow to encrypt their data sources properly and to deploy basic network monitoring. An investigative report by The Washington Post found cases of medical staff at hospitals using unsecured computers to connect both to internal networks and the public Internet. A 2012 government review of industry security cautioned that the way in which some organizations offer remote connectivity to physicians could introduce additional security risks.
Inadequate security practices have enabled cyber crime activity to thrive. According to the federal government, an unprecedented 21 million Americans have had information from their medical records lost or stolen since 2009. Nearly three-quarters of healthcare organizations report having experienced some kind of data breach or security incident in the past 12 months, and 94 percent of report at least one data breach in the past two years.
While not every data breach is necessarily a case of cyber crime, the incentives attracting cyber criminals to the scene are high. According to the World Privacy Forum, a stolen medical record now has a street value of roughly $50, compared to $14-18 for a credit card number or $1 for a Social Security number. Thieves use the rich medical and financial information to commit various forms of identity theft, including receiving free care, filing false patient claims to payers, and forging prescriptions.
Fortunately, medical-related cyber crime is receiving increased attention and awareness is on the rise. Healthcare organizations are beginning to move beyond simple risk assessments and venture into implementing more sophisticated anti-cyber crime solutions.
To address vulnerabilities and combat cyber crime, organizations need to take aggressive action and augment their security strategy using a variety of new approaches and technologies. Here are six ideas that all healthcare organizations can consider in 2013:
Implement automated network monitoring tools. Use automated tools to assess network vulnerabilities and monitor for breaches and unauthorized activity. Monitor key egress points to see what is being sent outside the walls of the organization, where and when it is being sent, and to whom it is being sent.
Deploy adaptive multi-factor authentication. Biometric patient identification systems based on fingerprints, palm vein patterns and other physical attributes can help guard against certain types of medical identity theft and insurance card fraud. User authentication requirements should also change dynamically based on where users are logging in from and what they are trying to access.
Consider outsourcing some or part of your security needs. Researchers at the Ponemon Institute have found that roughly a third of health organizations admit that they do not have the technology, budget or trained personnel necessary to handle today’s security challenges. Managed security service providers (MSSPs) offer a cost-effective way to have 24-hour network monitoring, incident tracking and immediate incident response.
Offer training, guidance, and approved versions of mobile apps for employees. Role-based employee training on mobile device security and guidance is critical to maintaining good security practices. Additionally, hospitals can offer enterprise versions of mobile apps and provide safely partitioned areas of the network for the apps to run upon.
Patch, secure, and monitor medical devices. Medical devices such as IV pumps, pacemakers, and bedside equipment are a new target of choice for cybercriminals seeking to wreak non-financial havoc. To combat this threat, ensure that devices are virus-free prior to installation, and encourage biomedical engineering teams to communicate freely with IT support teams.
Consider cyber insurance. New insurance products are coming to market that are designed specifically with healthcare organizations and HIPAA-covered entities in mind. Policies can defray breach-related costs, such as legal defense, privacy notification and even federal fines and penalties.
Cyber crime is a serious threat to health IT security, and it is unfortunately not going away anytime soon. However, by moving beyond the simple risk assessment and adopting a multi-faceted security strategy, prudent healthcare organizations can take significant steps to protecting their patients’ information and mitigating risk.
Jared Rhoads is a Senior Research Specialist in CSC’s Healthcare group. He consults, researches, and writes on a broad array of topics relating to healthcare technology, trends, and legislation.