As more hospitals hire temporary and freelance workers who
move between facilities and access sensitive patient information via mobile
devices, security threats are rising. The recent infraction at Massachusetts
Eye and Ear Infirmary is a cautionary tale about the consequences of violating
the privacy regulations in the Health Insurance Portability and Accountability
Act (HIPAA). After the loss of an unencrypted mobile device containing patient
data at Mass. Eye and Ear, the facility was hit with a $1.5 million fine in a
resolution agreement with the Office for Civil Rights. Healthcare facilities
must provide security alongside patient access to data, as well as taking into
account their employee turnover. That can be a tall order for a single security
approach, unless that approach centers on protecting data itself, rather than
on the traditional, network-based security model that seeks to secure the
hardware on which information resides.
Mobile devices enable healthcare organizations to increase
efficiency, foster collaboration and better serve patients. And yet, these
devices introduce risk to patient data security. That risk goes beyond the kind
of theft that occurred at Mass. Eye and Ear. Far more likely are events in
which data is accidentally shared or leaked to parties that should not see it.
While facilities generally have some level of security on their desktop
computers, few have adopted protection for hospital- or employee-owned
smartphones, laptops and tablets.
In 2011, the Ponemon Institute conducted a survey that found
that 81% of healthcare organizations store sensitive information on mobile
devices, some of which belong to employees. Forty-nine percent of respondents
to the survey reported that their organizations don't secure the data on those
devices at all.
In the meantime, healthcare professionals are increasing
their use of mobile devices to share patient data. IT decision-makers in
hospitals across North America are exploring text messaging as a replacement
for paging. Increasingly, doctors say they expect to use text messaging to
communicate with patients, even as IT personnel struggle to craft a plan for
keeping texting activity in compliance with HIPAA. And the security crisis in
healthcare is further heightened by the U.S. Department of Health and Human
Services' Stage 2 Meaningful Use requirement for patient access to electronic
health data.
In the face of HIPAA, healthcare facilities must deploy
security that gives patients greater access, protects data residing on mobile
devices, allows providers to electronically deliver information and accounts
for a constantly shifting workforce.
Keeping Patient Data Safe & Available
Data breaches in healthcare are on the rise. In 2011, The
Ponemon Institute reported a 32% increase in data leaks in the industry and
said 96% of healthcare organizations suffered from data loss in the previous
two years. The cost for all of those security missteps reaches $6.5 billion
each year.
There are several potential approaches to solving this
expensive problem. One such option is mobile device management (MDM), at least
for the tablet and smartphone users. However, such tools fail to cover the true
damage of potential data loss. Most MDM offerings can remotely wipe a device,
but only if it is managed by the employer. That hardly answers the risks posed
by the bring-your-own-device (BYOD) trend. Furthermore, MDM doesn't keep
documents protected as they're shared between devices and opened in different
apps.
A more effective method for safeguarding patient data
without shutting down communication is to wrap every document in its own layer
of security. Most clinical data takes the form of either an Adobe PDF or an
image file, both document formats that can be persistently protected with the
right technology. Doing so allows healthcare facilities to set the parameters
for data access and sharing while controlling the sensitive documents that
reside on every device, even those beyond the reach of IT. Document-based
security ensures that protection travels with the data, regardless of where it
goes. IT retains the ability to wipe clean selected documents in the event that
a hospital-owned or personally owned device is lost or stolen.
Source: health-information.advanceweb
No comments:
Post a Comment