The
use of mobile devices among healthcare professionals has never been more
prevalent. The flexibility they offer and the ease of access to patient
information enables healthcare organizations to focus more of their time on
positive patient outcomes.
As mobile devices multiply, healthcare
information has never been more portable—or more at risk. The use of unsecured
personal devices at work only complicates matters. The proliferation of smartphones,
tablets, USB drives and laptops—some company-approved and some not, some
encrypted and some open—means you can never know who’s accessing your health
information and whether or not it is truly protected.
The costs of health data loss are high and varied.
Healthcare organizations face not only public relations issues each time a
medical record goes missing, but significant financial costs. If an employee
loses a patient’s medical records, the healthcare provider is held liable. A
standard USB drive can hold more than 25,000 records, which can result in
direct and indirect data breach costs totaling more than $6 million. That’s a
huge penalty for such a small device.
Not to mention how likely it is that an
employee—many employees, in fact—will make such a mistake in a given year.
Today both employees and patients can use unsecured personal mobile devices to
carry or access health information. In 2009, a U.S. health insurance firm
suffered the consequences when it elected to save on encryption expenses. The
company lost 1.5 million clients’ medical reports when an unencrypted portable
drive went missing. The organization had to spend $250,000 on lawsuit fines,
$319,500 on letters to the affected clients, and $1 million for free ID
theft-monitoring services for the victims. And the erosion of trust and
potential for lost business is even more costly.
It should come as no surprise then that mobile
devices were identified as the biggest concern by a Dell-moderated focus group
of 50 CIOs representing small to large hospitals, integrated delivery
organizations, and commercial and government entities. Mobile devices also were
cited as the most concerning security vulnerability in a broader survey
conducted by Dell in May (see column at left).
One reason for this concern is the degree to
which data on mobile devices is not so much “lost” as “taken.” A study by the
U.S. Department of Health and Human Services (HHS) that examined 189 breaches
of 500 or more records found that 52 percent were caused by theft while just 16
percent were the result of so-called loss. Combined, these events cost U.S.
hospitals a whopping $12 billion annually, according to a Ponemon Institute report.
Ponemon targeted breaches of more than 500
records because that’s the reporting threshold. If an organization loses more
than 500 records containing patient health information in a single event, it is
required to notify HHS within 60 days as well as at least three prominent media
outlets in the regions where the patients with breached records live. Upon
notification, HHS posts an entry on its website listing the organization, the
breach date and the number of records breached. In an era when consumerism is
key to a company’s success, this type of publicity can be devastating.
Electronic health information is obviously
here to stay, and its ability to enhance patient outcomes is enormous.
Interoperable electronic health care records improve the quality and efficiency
of care by informing and speeding diagnosis and decision-making—we simply need
information management infrastructures that make the information safe and
secure.
To manage security properly in a mobile
environment, organizations need to ask themselves several questions. Is the
hospital’s network virtualized so that information is managed in the
datacenter, not on the device? Which devices are being used to access and store
health information? Do the devices have enterprise-class information security?
Are these devices employee-owned? Do organizations have the means to lock lost
devices to prevent unauthorized access to information? Can the data on these
devices be encrypted? Is there one mechanism for managing authentication
credentials across all devices in the enterprise?
It may seem as if prohibiting employees from
using their own devices is the answer, but it’s not an effective approach.
Allowing employees to use the devices they love can enhance flexibility, reduce
costs, and improve recruitment and satisfaction. Ultimately, the goal is to
leverage technology to improve the patient care experience from all sides.
That means organizations need to work with
mobile devices, not against them. Both enterprise-integrated mobile devices and
employee/patient-owned mobile devices can be made more secure through the use
of identity authentication, encryption, tracking/trace software, anti-malware,
frequent back-ups and extensive monitoring. An integrated approach that makes
mobile devices a component of an organization’s overall enterprise security
strategy is better than point solutions.
The ease with which caregivers can access
patient data using mobile devices is a great leap forward for healthcare, and
data security is no reason to go backward. It’s just a matter of confronting
the issues presented by mobile devices and addressing them decisively with
technologies and policies that protect patients’ privacy and make sense. These
technologies, properly secured, are offering healthcare professionals the
ability to spend more of their time focused on helping patients and less of
their time trying to get the access they need from their limited computing
infrastructures.
Dave Marchand
Business & Investment Opportunities
YourVietnamExpert is a division of Saigon Business Corporation Pte Ltd, Incorporated in Singapore since 1994. As Your Business Companion, we propose a range of services in Consulting, Investment and Management, focusing three main economic sectors: International PR; Healthcare & Wellness;and Tourism & Hospitality. We also propose Higher Education, as a bridge between educational structures and industries, by supporting international programs. Sign up with twitter to get news updates with @SaigonBusinessC. Thanks.
No comments:
Post a Comment