Oct 5, 2011

World - Doing More with Mobile Devices in Healthcare: Eliminating the Security Compromise


The use of mobile devices among healthcare professionals has never been more prevalent. The flexibility they offer and the ease of access to patient information enables healthcare organizations to focus more of their time on positive patient outcomes.

As mobile devices multiply, healthcare information has never been more portable—or more at risk. The use of unsecured personal devices at work only complicates matters. The proliferation of smartphones, tablets, USB drives and laptops—some company-approved and some not, some encrypted and some open—means you can never know who’s accessing your health information and whether or not it is truly protected.

The costs of health data loss are high and varied. Healthcare organizations face not only public relations issues each time a medical record goes missing, but significant financial costs. If an employee loses a patient’s medical records, the healthcare provider is held liable. A standard USB drive can hold more than 25,000 records, which can result in direct and indirect data breach costs totaling more than $6 million. That’s a huge penalty for such a small device.

Not to mention how likely it is that an employee—many employees, in fact—will make such a mistake in a given year. Today both employees and patients can use unsecured personal mobile devices to carry or access health information. In 2009, a U.S. health insurance firm suffered the consequences when it elected to save on encryption expenses. The company lost 1.5 million clients’ medical reports when an unencrypted portable drive went missing. The organization had to spend $250,000 on lawsuit fines, $319,500 on letters to the affected clients, and $1 million for free ID theft-monitoring services for the victims. And the erosion of trust and potential for lost business is even more costly.

It should come as no surprise then that mobile devices were identified as the biggest concern by a Dell-moderated focus group of 50 CIOs representing small to large hospitals, integrated delivery organizations, and commercial and government entities. Mobile devices also were cited as the most concerning security vulnerability in a broader survey conducted by Dell in May (see column at left).

One reason for this concern is the degree to which data on mobile devices is not so much “lost” as “taken.” A study by the U.S. Department of Health and Human Services (HHS) that examined 189 breaches of 500 or more records found that 52 percent were caused by theft while just 16 percent were the result of so-called loss. Combined, these events cost U.S. hospitals a whopping $12 billion annually, according to a Ponemon Institute report.

Ponemon targeted breaches of more than 500 records because that’s the reporting threshold. If an organization loses more than 500 records containing patient health information in a single event, it is required to notify HHS within 60 days as well as at least three prominent media outlets in the regions where the patients with breached records live. Upon notification, HHS posts an entry on its website listing the organization, the breach date and the number of records breached. In an era when consumerism is key to a company’s success, this type of publicity can be devastating.

Electronic health information is obviously here to stay, and its ability to enhance patient outcomes is enormous. Interoperable electronic health care records improve the quality and efficiency of care by informing and speeding diagnosis and decision-making—we simply need information management infrastructures that make the information safe and secure.

To manage security properly in a mobile environment, organizations need to ask themselves several questions. Is the hospital’s network virtualized so that information is managed in the datacenter, not on the device? Which devices are being used to access and store health information? Do the devices have enterprise-class information security? Are these devices employee-owned? Do organizations have the means to lock lost devices to prevent unauthorized access to information? Can the data on these devices be encrypted? Is there one mechanism for managing authentication credentials across all devices in the enterprise?

It may seem as if prohibiting employees from using their own devices is the answer, but it’s not an effective approach. Allowing employees to use the devices they love can enhance flexibility, reduce costs, and improve recruitment and satisfaction. Ultimately, the goal is to leverage technology to improve the patient care experience from all sides.

That means organizations need to work with mobile devices, not against them. Both enterprise-integrated mobile devices and employee/patient-owned mobile devices can be made more secure through the use of identity authentication, encryption, tracking/trace software, anti-malware, frequent back-ups and extensive monitoring. An integrated approach that makes mobile devices a component of an organization’s overall enterprise security strategy is better than point solutions.

The ease with which caregivers can access patient data using mobile devices is a great leap forward for healthcare, and data security is no reason to go backward. It’s just a matter of confronting the issues presented by mobile devices and addressing them decisively with technologies and policies that protect patients’ privacy and make sense. These technologies, properly secured, are offering healthcare professionals the ability to spend more of their time focused on helping patients and less of their time trying to get the access they need from their limited computing infrastructures.

Dave Marchand



Business & Investment Opportunities
YourVietnamExpert is a division of Saigon Business Corporation Pte Ltd, Incorporated in Singapore since 1994. As Your Business Companion, we propose a range of services in Consulting, Investment and Management, focusing three main economic sectors: International PR; Healthcare & Wellness;and Tourism & Hospitality. We also propose Higher Education, as a bridge between educational structures and industries, by supporting international programs. Sign up with twitter to get news updates with @SaigonBusinessC. Thanks.

No comments:

Post a Comment