In this Q&A, Darren Leroux, senior director of product marketing at WinMagic, shares his thoughts on the rise of BYOD in healthcare, why some security measures are failing, and why healthcare has become a target of hackers.
Q: How has the rise of BYOD in healthcare impacted the security of protected health information (PHI)?
A: The significant rise of BYOD in healthcare should not have come as a surprise. Doctors are already on tight schedules so the convenience BYOD brings them is a no brainer. They can take their tablet or smartphone with them from patient to patient, have all of the information they need at their fingertips, and improve their workflows. What does come as a shock is that more than half of healthcare institutions do not feel that the devices accessing their networks are secure, according to a recent study from the U.S. Department of Health & Human Services. Healthcare organizations are establishing BYOD policies, inclusive of data encryption, to make up for the inherent device insecurities.
Please log in or register below to read the full article.
In this Q&A, Darren Leroux, senior director of product marketing at WinMagic, shares his thoughts on the rise of BYOD in healthcare, why some security measures are failing, and why healthcare has become a target of hackers.
Q: How has the rise of BYOD in healthcare impacted the security of protected health information (PHI)?
A: The significant rise of BYOD in healthcare should not have come as a surprise. Doctors are already on tight schedules so the convenience BYOD brings them is a no brainer. They can take their tablet or smartphone with them from patient to patient, have all of the information they need at their fingertips, and improve their workflows. What does come as a shock is that more than half of healthcare institutions do not feel that the devices accessing their networks are secure, according to a recent study from the U.S. Department of Health & Human Services. Healthcare organizations are establishing BYOD policies, inclusive of data encryption, to make up for the inherent device insecurities.
Q: If a BYOD policy is in place and security measures are being taken at most organizations, why are healthcare data breaches increasing?
A: A recent healthcare professional roundtable found that, though the majority of healthcare providers had clearly defined procedures for securing devices, 46 percent admitted the policies are not being followed. In a somewhat mirrored fashion, roundtable participants agreed device encryption should be a part of any BYOD policy – but that encryption requirements were rarely enforced. One reason, therefore, for the prevalence of healthcare breaches is the lack of organizational adherence to their own policies.
Q: Why has healthcare become a major target for breaches compared to other industries that are also heavy adopters of remote workers?
A: According to security provider Veripher, the current value of a healthcare record is approximately $50, which is more than a social security number or a credit card. It’s an extremely soft target that has a lot of value, which is why it is so appealing to hackers. Unfortunately, the BYOD trend is only going to increase, which means that data breaches can no longer be managed by merely securing the perimeter of a facility. Every device accessing a healthcare facility’s network needs to have some form of encryption so that thieves cannot profit from healthcare records’ portability.
Q: How are healthcare regulations impacting the security of PHI on devices?
A: The good news is the universe of individuals that must adhere to HIPAA regulations is expanding, reflecting the reality that a variety of roles can have access to PHI. New requirements, for example, now extend HIPPA rules to business associates – those performing activities such as claims processing, data analysis, utilization review, and billing at healthcare entities. The bad news is that HIPAA’s language is vague in certain areas, and there isn’t specific language requiring full disk encryption of devices or standard identity management controls on them.
Q: With so many different healthcare entities now handling PHI to some degree, what specific types of PHI have become the most vulnerable on devices?
A: The three most vulnerable forms of lost or stolen data in the healthcare industry are patient billing information, employee records, and non-patient records. However, the types of patient data that are most frequently lost or stolen include medical files and records, payment information, prescription details, scheduling details, and monthly statements. Generally speaking, one can see that the types of PHI that are most frequently lost or stolen are the pieces of information that are being accessed across the continuum of care. Breaches are happening as healthcare providers use their personal devices to share PHI with another healthcare provider, for example the primary care physician sharing prescription information with the pharmacist or the X-ray tech showing an MRI to a physician. If healthcare providers want to be able to use their devices to enhance care delivery, they need to make sure they are doing so securely.
Q: Are healthcare entities reluctant to use encryption because it’s hard to use, and will that impact the user experience?
A: Encryption solutions today are easy to use, do not impact end user performance, and can be easily managed by IT and security teams. I will admit this is quite an evolution from even as recent as a decade ago, when encryption often interfered with work. Given that encryption is a fail safe for human nature – we often misplace devices containing sensitive information – it’s very important for healthcare companies to deploy full disk encryption. And regulatory entities should consider including specific recommendations regarding encryption in their rules.