"Bring Your Own Device" is a data nightmare for Healthcare Facilities
by Paul Kazlauskas
The healthcare industry has experienced more data breaches than any other industry segment of the last five years. The reasons are mainly two-fold, and both are only rising in significance.
First, private health information is some of the most valuable personal data there is on the black market (50 times more valuable than credit card info). A patient’s healthcare record is complete and total. There aren’t any missing pieces of information or the need for hackers to go somewhere else to find a pertinent detail or two.
Second, the healthcare workforce relies on mobile technology and the cloud. Institutions should recognize that they need to protect the data that is on devices AND data that is being transmitted to other places around the world. Healthcare workers that deal with private health information need to be educated on the challenges of data protection, especially actions to avoid.
The high value of patient health information, combined with the use of mobile technology, is a recipe for trouble. Once you add in the fact that many healthcare professionals are bringing their own devices to work (“BYOD”), the security of patient data becomes even more perilous, due to the inexperience of those healthcare workers with data security.
Here are some tips to help healthcare facilities be vigilant with data security to protect the extremely valuable patient health information:
- Conduct periodic reviews of where data lives. It is critical that hospitals know where their data lives — just as they would conduct an inventory of surgical instruments — to get a handle on what data is being stored and where.
- Purge data after the required timeline expires. A hospital's patient data has an initial asset value, but over time the value decreases. When that data is stored past the required timeline of seven years, it turns into more of a liability than an asset.
- Implement a strategy that accounts for multiple technologies -- because things change. Since mobile technology is evolving at such a rapid pace, it will be important for organizations to monitor what operating systems employees are using, what updates and security patches are available, and what new tools are emerging to decrease risks.
- Ensure employees are abiding by the standard security settings of their devices. Some security practices should be non-negotiable, regardless of whether or not an organization allows BYOD. These include such things as:
- Anti-virus programs
Depending on the type of information, encryption could also be a necessary component. It may be wise to equip mobile devices with remote-wipe applications, so that data can be easily erased if the device was stolen.
- Help employees understand and comply with healthcare facility data security policies. This is imperative with "bring your own device," because even if employees are using their own devices, they will still have to employ basic security features as a requirement of accessing company information. User training is imperative. So is on-site technical support should any questions arise.
- In-house technology should supplement employee education. Although hospitals can train and educate employees on security policies, they should still implement necessary technology to detect security breaches or mistakes. People are humans, not machines. Mistakes can easily be made because employees are focusing on their immediate task at hand, not particularly focusing on the security of the data they are working with.
- Continue to reassess how BYOD is working. Hospitals should keep in mind that data security policies are ones with almost continual consequences in terms of risk. It will be important to monitor the time, money, and resources that are devoted to maintaining BYOD data security. If the cost to mitigate the risks outweigh the benefits, it may be time for a change to policy.
- Communicate with those in your professional network and learn from what they do. If your healthcare facility is struggling with data security inexperience, the knowledge to do better doesn’t have to come from a high-priced consultant or a software company. Tap into your local network of other hospitals to understand what they did and what they learned. Ask for advice on certain data security situations and read white papers from trusted sources. For specific advice, consult a healthcare I.T. professional. Here is a list of national resources that you can review.
How is your healthcare facility being vigilant with data security to protect extremely valuable patient health information? Please add your thoughts in the "Comments" section below.
Want the latest, best security practices delivered straight to your inbox? Enter your email address in the "Subscribe" area (on the left side navigation).
Download Free Whitepaper ›
Our exclusive "Guide to Choosing a Visitor Management System"
Posted on 7/14/2017