The mobility of patient data — made possible by new technologies and the proliferation of mobile devices in the workplace — is a leading factor in data breaches. According to Kroll Advisory Solutions' "2012 HIMSS Analytics Report: Security of Patient Data," 31 percent of healthcare organization respondents indicated that information available on portable devices is among the factors most likely to cause a data breach. This factor is amplified by what some have termed the BYOD — "bring your own device" — and BYOC— "bring your own cloud" — era.
The "bring your own" era
According to Alan Brill, senior managing director of Kroll Advisory Solutions, while BYOD is a problem in the healthcare industry, BYOC is almost more threatening to the healthcare industry. Moving data or information has become easier because of the emergence of consumer friendly and easy-to-use cloud storage services. Many companies have offerings such as Microsoft, Google and Apple. There are even individual companies such as DropBox, which offer cloud storage, hence "bring your own cloud." Data and information is easily transmitted with these cloud services. Unfortunately, that also means that the physical location of data may be less secure, and in a healthcare setting, insecure data can be extremely damaging.
"You would probably expect that anything a hospital would store in a cloud server would be encrypted so that even though access may be easy, not just anyone could open the file and read it. However, given the immediate availability of cloud service tools, if someone wanted to move data for any reason — lawful or not, reasonable or not — the ability to do so is very real," says Mr. Brill.
Gone are the days where stealing hospital data was difficult because of the physical volume — the boxes and boxes of physical files. Stealing or losing healthcare information is easier because of gigabytes and megabytes of storage available on commercial cloud storage tools and USB ports.
In order for hospitals to combat the vulnerabilities of BYOD and BYOC, they need to be vigilant with data security to protect health information.
1. Learn from other's experience. Many hospitals struggle with data security inexperience. Those running the security initiatives are doing so for the first time. While individual elements are not complex, hospitals will benefit more from experience to address complex problems. However, the experience does not have to come from an HIT consulting or software solutions company. It can come from other institutions in the community or from professionals groups in the field where industry information and white papers are shared.
2. Conduct a regular data census. It is imperative that hospitals conduct regular data censuses — just as they would conduct an inventory of surgical instruments — to get a handle on what data is being stored and where. "Many times when data is stolen from a hospital, the executives are shocked to find out where the data was stolen from. I often hear 'I didn't know we still had that patient information,'" says Mr. Brill. Over time, a hospital collects a great deal of patient health and financial information and managing the data can become cumbersome. However, it is necessary to regularly inventory the data so it does not become what Mr. Brill terms "vampire data."
3. Do not keep data longer than necessary. A hospital's patient data has an initial asset value, but over time, the value decreases, and when that data is stored past the required timeline of seven years, it may be more of a liability than an asset. "Management may determine that some forms of data have significant value even though their legally mandated retention period is over. My recommendation is that they do an assessment to see if they should keep it or securely get rid of it," says Mr. Brill.
4. Implement a strategy that accounts for multiple technologies. Since mobile technology is evolving at such a rapid pace, it will be important for organizations to monitor what operating systems employees are using, what updates and security patches are available and what new tools are emerging to mitigate risks. Further, in a "bring your own device" environment, it is much easier for users to download personal applications and questionable content that may put devices at risk. Hospitals need to consider these issues to maintain a reasonable level of security.
5. Ensure users are employing standard security settings on their devices. Regardless of whether or not an organization allows BYOD, some security practices should be non-negotiable. Chief among these practices are passwords, firewalls and anti-virus programs. Depending on the type of information the employees will be accessing or transmitting, encryption should be a necessary component. It may also be prudent to equip mobile devices with remote-wipe applications, so that data can be easily erased should the device be stolen.
6. Help employees understand and comply with company policies. This is vital with "bring your own device," because even if employees are using their own devices, they will still have to employ basic security features as a requirement of accessing company information. To achieve the level of compliance needed, it will likely be necessary to employ a combination of user training — via a formalized program — and technical support. Accessible training and support can help reduce "security work-arounds." When employees understand the purpose of security applications or procedures, they are less likely to attempt to circumvent or disable them.
7. Supplement employee education with technology. Although hospitals can train and educate employees on security policies, they should still implement technology to detect security breaches or mistakes. "While the vast majority of individuals are going to and want to do the right thing, hospitals should still have the protection in place. The technology tools will help employees follow the rules," says Mr. Brill. The technology can be anything from disabling USB ports to blocking use of personal email accounts or cloud services like DropBox.
8. Remain aware of the threat of lost or stolen devices. Despite new and emerging threats, lost and stolen devices still dominate as a cause of data breach. With BYOD, the lines of ownership may appear blurred to the user, and he or she may not know their work-related responsibilities with regard to lost devices. Hospitals should make sure employees know what to do if they lose their devices and have a plan in place to determine if any sensitive information was stored on it.
9. Continue to reassess the efficacy of BYOD, BYOC. According to Mr. Brill, hospitals should keep in mind that data security is not a "set it and forget it" decision; rather, it is one with almost continual consequences in terms of risk. It will be important to monitor the time, money and resources that are devoted to maintaining security in the wake of commercially prevalent mobile devices and cloud sites, to determine if this model is effective for the hospital.
Due Diligence Mitigates Liability Exposure Under HIPAA and the HITECH Act
5 Best Practices for Improving Data Security
The "bring your own" era
According to Alan Brill, senior managing director of Kroll Advisory Solutions, while BYOD is a problem in the healthcare industry, BYOC is almost more threatening to the healthcare industry. Moving data or information has become easier because of the emergence of consumer friendly and easy-to-use cloud storage services. Many companies have offerings such as Microsoft, Google and Apple. There are even individual companies such as DropBox, which offer cloud storage, hence "bring your own cloud." Data and information is easily transmitted with these cloud services. Unfortunately, that also means that the physical location of data may be less secure, and in a healthcare setting, insecure data can be extremely damaging.
"You would probably expect that anything a hospital would store in a cloud server would be encrypted so that even though access may be easy, not just anyone could open the file and read it. However, given the immediate availability of cloud service tools, if someone wanted to move data for any reason — lawful or not, reasonable or not — the ability to do so is very real," says Mr. Brill.
Gone are the days where stealing hospital data was difficult because of the physical volume — the boxes and boxes of physical files. Stealing or losing healthcare information is easier because of gigabytes and megabytes of storage available on commercial cloud storage tools and USB ports.
In order for hospitals to combat the vulnerabilities of BYOD and BYOC, they need to be vigilant with data security to protect health information.
1. Learn from other's experience. Many hospitals struggle with data security inexperience. Those running the security initiatives are doing so for the first time. While individual elements are not complex, hospitals will benefit more from experience to address complex problems. However, the experience does not have to come from an HIT consulting or software solutions company. It can come from other institutions in the community or from professionals groups in the field where industry information and white papers are shared.
2. Conduct a regular data census. It is imperative that hospitals conduct regular data censuses — just as they would conduct an inventory of surgical instruments — to get a handle on what data is being stored and where. "Many times when data is stolen from a hospital, the executives are shocked to find out where the data was stolen from. I often hear 'I didn't know we still had that patient information,'" says Mr. Brill. Over time, a hospital collects a great deal of patient health and financial information and managing the data can become cumbersome. However, it is necessary to regularly inventory the data so it does not become what Mr. Brill terms "vampire data."
3. Do not keep data longer than necessary. A hospital's patient data has an initial asset value, but over time, the value decreases, and when that data is stored past the required timeline of seven years, it may be more of a liability than an asset. "Management may determine that some forms of data have significant value even though their legally mandated retention period is over. My recommendation is that they do an assessment to see if they should keep it or securely get rid of it," says Mr. Brill.
4. Implement a strategy that accounts for multiple technologies. Since mobile technology is evolving at such a rapid pace, it will be important for organizations to monitor what operating systems employees are using, what updates and security patches are available and what new tools are emerging to mitigate risks. Further, in a "bring your own device" environment, it is much easier for users to download personal applications and questionable content that may put devices at risk. Hospitals need to consider these issues to maintain a reasonable level of security.
5. Ensure users are employing standard security settings on their devices. Regardless of whether or not an organization allows BYOD, some security practices should be non-negotiable. Chief among these practices are passwords, firewalls and anti-virus programs. Depending on the type of information the employees will be accessing or transmitting, encryption should be a necessary component. It may also be prudent to equip mobile devices with remote-wipe applications, so that data can be easily erased should the device be stolen.
6. Help employees understand and comply with company policies. This is vital with "bring your own device," because even if employees are using their own devices, they will still have to employ basic security features as a requirement of accessing company information. To achieve the level of compliance needed, it will likely be necessary to employ a combination of user training — via a formalized program — and technical support. Accessible training and support can help reduce "security work-arounds." When employees understand the purpose of security applications or procedures, they are less likely to attempt to circumvent or disable them.
7. Supplement employee education with technology. Although hospitals can train and educate employees on security policies, they should still implement technology to detect security breaches or mistakes. "While the vast majority of individuals are going to and want to do the right thing, hospitals should still have the protection in place. The technology tools will help employees follow the rules," says Mr. Brill. The technology can be anything from disabling USB ports to blocking use of personal email accounts or cloud services like DropBox.
8. Remain aware of the threat of lost or stolen devices. Despite new and emerging threats, lost and stolen devices still dominate as a cause of data breach. With BYOD, the lines of ownership may appear blurred to the user, and he or she may not know their work-related responsibilities with regard to lost devices. Hospitals should make sure employees know what to do if they lose their devices and have a plan in place to determine if any sensitive information was stored on it.
9. Continue to reassess the efficacy of BYOD, BYOC. According to Mr. Brill, hospitals should keep in mind that data security is not a "set it and forget it" decision; rather, it is one with almost continual consequences in terms of risk. It will be important to monitor the time, money and resources that are devoted to maintaining security in the wake of commercially prevalent mobile devices and cloud sites, to determine if this model is effective for the hospital.
More Articles on Data Security:
10 Guidelines for Selecting Data Breach InsuranceDue Diligence Mitigates Liability Exposure Under HIPAA and the HITECH Act
5 Best Practices for Improving Data Security