The daily process of treating patients has been compared more than once to a military operation – and with good reason. After all, everything of real importance takes place on the front lines, at the point of patient contact. All else is purely support.
That analogy extends to the flow of data. Information has to make it to the front lines in order to be effective. Trouble is, that imperative also makes data—especially patient data—vulnerable to attack from multiple sources.
Since September 2009, the U.S. Department of Health and Human Services has maintained a database of breaches in unsecured, protected health information affecting 500 or more individuals. Of these, more than 60% have involved some kind of endpoint computing device—desktop PCs and laptops as well as USB drives, tablets, smartphones and other portable electronic devices. Millions of individual records have been compromised from these endpoints due to unauthorized access or disclosure, theft, loss, hacking or other incident.
Industry-wide, the problem is even more widespread. Ponemon Institute, an independent, Michigan-based research firm focused on privacy, data protection and information security policy, issued its Third Annual Benchmark Study on Patient Privacy & Data Security in December, 2012. In the study, the institute reported that 94% of healthcare organizations surveyed had experienced at least one data breach over the prior two years. Nearly half (45%) had dealt with more than five breaches over the same period. Leading causes for breaches included lost devices, employee mistakes, third-party mix-ups, and criminal attacks.
The economic fallout of such breaches was apparent, with the average two-year cost to a healthcare organization per breach rising to a calculated $2.4 million, up from $2.2 million for the same metric a year earlier. Based on its survey figures, the institute estimates the average annual cost to the U.S. healthcare industry from data compromises “could potentially be as high as almost $7 billion.”
The BYOD Trend
The trend among healthcare organizations for employee BYOD (Bring Your Own Device) only complicates the problem. The Ponemon study indicates that 81% of organizations allow BYOD as part of their IT practices. As more and more employees and medical staff use mobile devices like smartphones and tablets to access enterprise networks and systems, the risk presented by BYOD is elevated. The loss or theft of computing devices is still the number one most common way for breaches to take place; despite the exposure, more than half (54%) of organizations, according to Ponemon, report that they’re not confident that their employees’ BYOD devices are secure.
With corporate endpoint data doubling in size every 14 months according to some estimates, and BYOD practices increasing, the importance of securing data on laptops, tablets and smartphones has never been greater. So what should a healthcare organization do?
How to Ensure Data Security
Every responsible healthcare data security program begins with an audit—and endpoint data needs to be a primary focus. Security personnel need to ask, and answer, all the pertinent questions. Who has access to patient data, and on what kinds of devices? Who is allowed to collaborate on, and update, this data? Who is authorized to share information, and with whom, both inside and outside the organization?
By gaining a full understanding of what kinds of data is residing on which devices, security protocol and policy becomes much clearer. What’s more, the security audit will help reveal the nature and scope of data vulnerabilities. Most breaches, as it turns out, are unintentional; only a small percentage results from deliberate, malicious intent (i.e., attacks by hackers or disgruntled employees). Examining workflows and employee behaviors will significantly influence the types of security solutions needed.
In addition to an audit, an endpoint security program should be implemented. Such efforts typically include endpoint management technology, specifically software designed to efficiently back up data while facilitating the file sharing and collaboration. To be effective, endpoint management software must be easy to administer, non-intrusive and transparent; just as important, it must have the capability to remotely wipe data on the device, should it be lost or stolen. Along with the technology itself, centralized policies must be established for controlling access to data, such as how to control sharing of files among employees.
Other elements of a strong data protection program include encryption (including full disk encryption where practical) plus firewall and intrusion protection for networks and data repositories. Usernames and passwords, paired with a token or biometric, are highly recommended to ensure proper user authentication. Furthermore, employee security training is important—and workers must be held accountable for maintaining data security practices.
When sharing data with third-party vendors and care partners, organizations should contractually obligate those outside parties to participate in their security policies. Frequent testing of software and systems should also be a regular practice. Finally, should a breach occur, it’s essential that mitigation protocols be instituted quickly to limit damage and protect patient information.
Data Security Should be a C-Suite Concern
Clearly, endpoint devices will be major tools in healthcare in the years ahead. The worldwide population of mobile workers is expected to reach 1.5 billion by 2015; within the next year alone, IDC predicts that individual-liable devices will grow to 60% of all mobile devices used in business. There’s no reason to believe the proportion of devices found in healthcare will be any different.
With the formation of ACOs, the deployment of electronic health records and HIEs, the accelerating pace of group practice acquisitions, and the mergers of healthcare organizations all adding complexity to healthcare, it’s critical that everyone—CEOs, CFOs, CIOs, IT directors and security professionals—understand the importance of endpoint data security to organizational practice. Those responsible for data security must provide solutions that back up data on endpoint devices, as well as a remote wipe capability for all devices whether BYOD or enterprise-owned.
It’s been said that an army travels on its stomach—but in the 21st century, the essential commodity to any healthcare operation will be its data. Every day, your people are on the front lines, putting that data to optimal use. Don’t put it at risk. With an adequate defense in place, you can make sure your employees’ devices won’t become a casualty for your organization.