Bring Your Own Device (BYOD) and Information Outflow
Doctors in the BYOD Era: Stemming the Tide of Information Outflow
Vasu Ram, President and CTO of Content Raven
The Identity Theft Resource Center recently announced that it had recorded 163 breaches in the healthcare sector last year, which represented 34.7 percent of all data loss events logged in 2012. These data breaches led to more than 2.3 million compromised patient records, and already in 2013, the healthcare industry has experienced 136 data breaches, representing nearly half of all security breakdowns and leading to more than 2 million compromised records.
Does the healthcare industry shoulder a fair portion of the blame? Or is there a reason for this bias towards incidents within the medical profession? According to a data found in a recent Cisco partner network study, nearly 89 percent of U.S. healthcare workers use their personal smartphones for work purposes. However, that same study found that when it comes to security, 41 percent of healthcare employees’ personal devices are not password protected, and that 53 percent of healthcare employees access unsecured WiFi networks with their smartphones.
These numbers are troubling, especially in an era of increased scrutiny driven by HIPAA and Meaningful Use requirements. Despite this, breaches still occur frequently, including the recent leakage of personal health information of 1,566 patients who used a public health service due to an unencrypted employee laptop being stolen from a car. The mobility of the healthcare workforce is only going to increase, making it possible more data thefts like these will continue to occur.
As the healthcare industry continues to deploy electronic medical records and utilize mobile applications like tablets and iPhones to support patient care, hospitals will need to adopt solutions that safeguard information and prevent embarrassing – and damaging – security breaches.
No matter how robust an organization’s security protocols are, human error remains the greatest risk of all. This risk is magnified in the age of BYOD (Bring Your Own Device). When employees open files on their personal devices, those documents are only protected to the extent of the devices’ personal security settings — or lack thereof. Personal devices tend to be insecure and more open to hacking and theft than company devices. In addition, an employee could lose a device with important information and put the company at risk.
Compounding this is the demand from patients to have faster and more accessible communication with their physicians. American Medical News (AMN) noted that more patients not only want to email their doctors but desire a quick response as well. AMN cited surveys that showed a large majority of patients are interested in online communication with their physicians; however, other studies have found that patient satisfaction rates could take a significant dive if the messages aren’t responded to in an appropriate period of time. In either case, doctors are increasingly compelled to take the simplest path to communicating with their patients — with their personal devices, which may or may not be encrypted.
However, new technologies exist that enable enterprises to simply and securely share and track video, audio, and other forms of content across multiple devices, reducing risk and improving governance. The best approach, known as “trusted viewing,” not only provides a path that supports the digitization of patient records, but also serves to deliver higher levels of encryption and greater control over who can access the content and when.
Better Security Through Analytics
In order to avoid falling victim to data leakage, healthcare organizations need to make trusted viewing a top priority. A survey of almost 300 healthcare organizations released in late 2012 by Eden Prairie, Minn.-based healthcare communications technology company Amcom Software found that more than 65 percent of responding healthcare facilities do not have a documented mobile strategy in place. What’s more, 37 percent of the survey’s respondents do not have plans to implement such a strategy in their organizations.
Mapping the path of content delivery, tracking content usage and having the ability to terminate content access from anywhere are all keys to a robust mobile security strategy. If these three capabilities are in place, content can remain secure no matter where it is sent across the cloud.
The first step is establishing a protocol and utilizing tools to ensure content security from inception to disposal. Your organization needs to map out the typical flow of content and then implement the use of tools that will help you maintain security throughout that flow.
Second, you need to have tools for tracking content usage. In many cases, the increased risk of data breaches described in the Identity Theft Resource Center survey can be avoided if there are tools in place to track and manage content usage. Being able to see how, when and where content is being used can help organizations stop a breach before it starts or at least control the spread of information.
Finally, termination of content access can be a line of defense between corporations and data thieves. No matter whether the threat is coming from an internal part, external part or other third party source, terminating content access remotely and automatically can stop a data breach in progress.
Content security issues are going to become more common unless organizations embrace secure content delivery. Using trusted viewing tools to map the flow of information, track content usage and terminate access when a breach occurs can save your organization millions of dollars and protect patients from the exposure of private health information – all while maintaining improved levels of communication between physicians and their clients.
Vasu Ram is president and CTO of Content Raven. He is a technologist with over 18 years of experience delivering business solutions to small, medium and large enterprises. He specializes in product development, secure document sharing, intellectual property, e-learning, document security, online training, information security, and content tracking and analytics.