Today, patient data resides everywhere – desktops, laptops, smartphones, tablets and USB drives. Understandably so – given the rise of mobile computing and bring-your-own-device (BYOD) policies in healthcare, the once straightforward process of protecting patient’s private health information has since evolved into a complex and overwhelming undertaking. Gone are the days where personal health information lived solely in giant filing cabinet.
When we refer to personal health information at risk, we’re not just talking about historical health records – the potential for a data breach casts a much wider net, including patient billing information, clinical trial data and even employee information like payroll numbers. With so much sensitive, unprotected data up for grabs, we’re inclined to ask ourselves – why? Why does this keep happening, and what can we do to fix it?
Think of it this way - according to a recent study, 81 percent of healthcare organizations are now allowing employees and medical staff to use their personal laptops and mobile devices to connect to provider networks or access company email. Interestingly enough, the same study found that of that 81 percent of healthcare institutions enabling a BYOD strategy, 54 percent did not believe that those devices were secure enough in the workplace. 65 percent of data breaches reported to the Ponemon Institute occurred on laptops and mobile devices over the last 5 years. With these kinds of statistics, it’s really no wonder that more than half of those surveyed aren’t confident in the security of their devices, right?
Below are the top 3 gaping security holes in remote healthcare data practices that are answering our question of why this rise in breaches is happening:
- Ignorance of Government Regulations
According to a recent report, HIPAA data breaches have increased by 138 percent since 2009. It’s easy to get caught up in the hype around compliance and regulation, but ultimately you can end up missing the bigger picture of what is trying to be accomplished. Regulations aside, healthcare CIOs and CSOs need to ensure that they are still performing a comprehensive, thorough analysis of their security infrastructure. Furthermore, compliance is technically a one-time snapshot or status of where things stand – or should stand. Given the fluidity of IT and the continually emerging threats and vulnerabilities, simply focusing on compliance alone is short-sighted and can end up creating a false sense of security that your mobile systems and information are truly secure.
- Inadequate Resources & Budgeting Allocations
According to a recent study from Cisco, 63 percent of healthcare institutions do not feel that they have the sufficient resources to defend against a security breach. The same study found that 66 percent of healthcare institutions did not feel that their security financial budgets were sufficient with what capabilities are needed.
CIOs and CSOs don’t have the luxury of waiting until the time is just right to invest in data security technology. Data is sensitive, especially that within the healthcare industry. Leaders in this space must start incorporating better practices when it comes to protecting patient data.
- Internal Employee Negligence
Mistakes happen, we’re all human. Unfortunately, the repercussion of human error like negligence continues to top the list for causes in data breaches. Examples of employee negligence can range from misplacing a USB with stored private patient health information to accidently leaving a laptop in a public place. Encryption is the only failsafe way to ensure that private health information is not compromised if a device has been lost or stolen.
As we mentioned earlier, patient data is everywhere – mobile devices, laptops, desktops and even medical devices like wireless heart pumps and mammogram imaging tools. Health data has evolved into a matrix of interrelated data, flowing from patients/customers to physicians, diagnostic clinicians, pharmacists and medical insurance billing specialists, among others. The industry as a whole must look beyond simple data security/compliance and towards a holistic security program that fosters a long-term data security strategy. The most effective and comprehensive strategies are centered on protecting actual data and not just the device – however, it’s equally important to allow for ease-of-use and accessibility.
As we look ahead, managing information risk is more than just addressing the checkbox items. Healthcare CIOs and CSOs need to first understand what kind mobile and remote solutions they have at hand, how these devices are putting private health information at risk and what can be done to remain secure.
We recommend that data is encrypted on both at-rest and mobile devices. Encryption needs to be transparent enough for IT admins working behind-the-scenes to be able to integrate the capability across platforms seamlessly, and offer no disruption to the end-user experience. It’s important to remember that as important as data security is in the healthcare industry, accessibility and providing the ultimate patient care is top of mind for providers.