Current State of Security in Healthcare
As much as healthcare continues to evolve, what has always been and will continue to be at the core of the industry is the effort to deliver the best possible patient outcomes. The proliferation of computers offered standardization and efficiency, but had the unfortunate side effect of requiring caregivers to spend time behind keyboards instead of with patients. Today it is no longer necessary to make that compromise, largely due to the use of mobile devices. While trends like "computers on wheels" attempted to reconcile the requirements of increasing digitization with the fundamental need for caregivers to be near their patients, the carts were clumsy, not especially maneuverable, and—under the best of circumstances—irritate patients or—at worst—intimidate them. On the other hand, mobile devices combine impressive computing power and modern user interfaces with portability and unobtrusiveness.
The downside? If mobile devices are inadequately secured and managed, they can create enormous exposure. According to our recent Mobile Risk and Security Review (MSRR), 53 percent of healthcare organizations reported missing devices in 2016, and 17 percent of healthcare organizations had compromised devices accessing corporate data – a rate higher than in the government or financial services industry. These stats are indicative of risks that could result in data breaches, as well as violations of regulations like HIPAA. Additionally, 82 percent of healthcare organizations have 10 or more third party apps installed, creating even more avenues for potential attackers.
Challenges Hospitals are facing
As technology has evolved and become more mobile, the traditional network perimeter has deteriorated: data has become more distributed and it persists in more places. When information is more portable it can get outside the organization in unexpected ways. Of course, this is true in any industry, but because of the regulatory requirements and the elevated sensitivity around health information, the stakes are higher.
Another huge challenge to maintaining security within a hospital is different types of workers: while many people may be direct employees of the hospital or health system, some may be considered independent contractors. For example, nurses and administrative personnel may be employed directly but doctors and anesthesiologists may be employed by other corporate entities so the relationship is closer to "subcontractors." This means that healthcare organizations must be mindful of how to grant secure access to sensitive data on devices that don't belong to the organization or its direct employees.
New tech brings new hope
Most mobile devices began as purely consumer technology and—despite their fairly wide adoption in work settings—the tools to provide adequate security controls took a while to mature. Once upon a time, Apple iOS devices had to be physically tethered to Mac computers to enable advanced security controls (through a process known as Supervision) and only a handful of Android devices offered a true "enterprise persona." Because of complexity or cost, many organizations would simply forego the additional capabilities. With the tools like the Apple Device Enrollment Program (DEP) or Android Enterprise Device Owner Mode (DOM), organizations can now harness extra security capabilities in a way that is both easier for IT departments and mostly transparent for end users. This ensures that policies are being applied universally without bugging each doctor, nurse and administrative professional to update his or her device – resulting in even more time for patient interaction.
How to overcome challenges
One of the simplest and most crucial things hospitals (or any mobile-device-using organization) can do is enforce OS patching – according to the MSRR, in 2016 only nine percent of companies in the U.S. were doing this, yet it is the easiest preventive care businesses can do. OS patching pays big dividends, and the turn time on mobile OS updates is shorter than ever before.
As always, businesses must be diligent while implementing policies as they would with any software, but need to update what this process looks like for the mobile world. A big part of this is ensuring the applications going onto these devices are secure by scanning the application source code. There are automated tools that can help with this process to ensure businesses have implemented security measures and streamlined their vetting process. These tools will eliminate the risk of having an enterprise app that accesses patient healthcare data without the proper security measures in place.
It is also critical to invest in educating your workforce about proper security measures. Many health systems view security as an IT problem, but the onus is on each line of business to ensure they're engaging in proper security measures. A remote security management tool is great for managing system updates and monitoring, but without organization-wide education, not even the greatest CISO can stop employees from downloading an unnecessary and compromising application, or clicking on a phishing email.
Looking ahead
While the initial HIPAA regulations didn't provide much in the way of penalties, the HITECH Act passed in 2009 gave the original legislation some new teeth with regard to security and privacy of patient data. Last year, the California Data Breach Report outlined minimum standards of due care with regard to the privacy protections for consumer data. Next year, the General Data Protection Regulation (GDPR) will be implemented in the European Union, which punishes any company after its second offense of compromising customer records or jeopardizing customer privacy – with a fine of 20MM euros or four percent of the organization's revenue - whichever is higher. Though laws and regulations have been slow to keep pace with technology, it appears that a regulatory makeover may be gaining momentum and organizations must be prepared to address more stringent requirements or risk increasingly severe penalties as privacy and security receive more focus.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.