Advertisment

What's the healthcare industry doing about BYOD?

author-image
DQI Bureau
New Update

Over the past few years, there has been a lot of talk about the explosive growth in the mobile and personal device industry. In fact, global mobile phone revenues are predicted to be worth $1.6 trillion, however, even that sizeable sum pales in comparison to the growth of the US healthcare industry, which is estimated at about $3 trillion. These two industries are growing together, popularizing the bring-your-own-device (BYOD) movement throughout hospital and healthcare organizations.

Advertisment

That is why the Stage 2 compliance guidelines introduced by the Centers for Medicare and Medicaid Services (CMS) last year levied heavier restrictions on the electronic communications used by healthcare organizations. BYOD has been a growing cause of concern among IT professionals in the industry, and the standards were updated in order to better protect patient privacy.
To make sure these rules are followed, the HHS Office for Civil Rights (OCR) is conducting more audits than ever, which has left patients and institutions asking, "What are healthcare organizations doing about employees who bring their own devices to work?"

Stage 2 guidelines come at a time when about 85 per cent of hospitals are allowing employees to bring and use personal devices in facilities. This haphazard approach is causing a headache for IT teams, because they can no longer be certain that every piece of sensitive patient data is secure. E-mails are getting sent from smartphones, and records are being stored on iPads - and this can have serious consequences without the right procedures and technologies in place.

For instance, consider the September 2012 case of Massachusetts Eye and Ear in which OCR fined the institution $1.5 million when a laptop with patient data was stolen. That is a sizeable sum for a single device, considering how many healthcare employees rely on smartphones and laptops to store and access that kind of information. Laptops are a little more expected in a hospital environment, but throw tablets and smartphones into the mix and you have suddenly multiplied the potential points for a breach.

Advertisment

So, how can hospitals make sure that this influx of devices does not mean a big decrease in security?

Acknowledging and adjusting to a BYOD reality
Even if hospitals were bold enough to do it, banning devices outright is not an option at this point. About 70 per cent of IT specialists and physicians already use mobile devices to access electronic health records, and, as more healthcare solutions go wireless and mobile, we can expect BYOD to become integral to health services. Gartner predicts that the annual market for wireless solutions in healthcare will reach $1.7 billion by 2014 and, by 2015, there will be about 500 million people using wireless health and wellness applications.

In light of this, it looks like healthcare will practically be running on personal devices instead of proprietary infrastructure in just a few short years. To prepare, the industry first has to acknowledge that this is a major change when it comes to HIPPA compliance. Meaningful-use Stage 2 guidelines were a step in that direction, but it does not look like most organizations have followed suit.
One survey conducted by nonprofit (ISC)² showed that many healthcare IT professionals feel they are too understaffed to adequately face IT threats, with 59 per cent saying that privacy violations are their biggest worry.

Advertisment

Their concern makes sense, since all it takes is a misplaced iPad to set alarm bells ringing. But that is just all the more reason for IT teams to start getting a process in place that deals with these issues. Can sensitive data on mobile devices be wiped remotely? Is it automatically synced to another platform, so critical information doesn't get lost? Consumers are asking these questions too.A recent study by PriceWaterhouseCoopers Health Research Institute showed that 39 per cent of consumers are concerned that caregivers can bring their own devices to work and store sensitive data on them. This shows us that BYOD security is not just a matter of avoiding fines from the OCR and keeping patient data safe; it is a matter of personal privacy too.

What healthcare needs to do
At first glance, it seems like the healthcare industry is stuck between rigid regulations and the unavoidable BYOD phenomenon, which enhances collaboration, connectivity and results. The changes may be happening fast, but that does not mean that IT departments are powerless, especially if they consider these five steps to prepare for BYOD security in the years ahead:

1. Implement mobile device management (MDM). The first step is to get healthcare employees to enroll their devices into a healthcare network, which will help reduce regulatory risks by centralizing device management. This way, all stakeholders can make sure devices are in compliance with regulations by checking even the most granular details of access and use.

Advertisment

2. Secure data with mobile file management (MFM). Once the management of an organization's devices has been centralized, there needs to be a careful evaluation of how data is accessed, stored and used. Any data traveling to and from devices needs to be heavily encrypted, and IT needs to be able to control whether files can be deleted, restored, modified or shared, no matter where the information is or how it is being used.

3. Check for security issues. OCR audits will not be a surprise if IT departments regularly audit the network themselves, so they can make sure to close any potential threats and update security infrastructure.

4. Make the solution user friendly. When you overhaul network security, there is bound to be some confusion among employees when it comes to accessing the data they need. By holding training sessions and using a tool that is intuitive and user friendly, healthcare organizations can prepare everyone for the changes and make sure the transition goes smoothly.

Advertisment

5. Have a strategy for the worst-case scenario. When training employees in the proper and secure use of their devices on the network, IT should also create a step-by-step process of reporting any potential breaches. That way, teams can respond as quickly as possible to the threat of personal data being exposed.

With devices and Web applications quickly becoming a reality across all aspects of healthcare, it is crucial for organizations to get a plan in place that keeps data secure, wherever it resides. Otherwise, they risk falling behind and losing patients' good faith - and potentially incurring some big fines in the process.

(Simon Howe is sales director, Mobility APAC at Acronis. This article was first published in CIOL and do not necessarily reflect the views or policies of Cybermedia)

Advertisment

 

Advertisment