Over the past year we’ve seen a tremendous number of attacks on the sector, and the healthcare industry needs some strong medicine to cure its data security problems. Major hacks may draw the headlines, but there are many other, everyday practices in hospitals and doctors’ offices that are putting our healthcare data at risk.
Why healthcare data security is so hard
Users and IT always seem to butt heads on security versus user experience, but health IT has some issues that you might not see in fields like banking or retail, which also deal with sensitive data. Take authentication: a five-second delay for a doctor to log in and check the database for allergies or co-existing conditions could be a matter of life and death for a patient, yet the same delay would merely irritate a loan officer or sales clerk.
But, there’s also more at risk when a healthcare record is breached versus a credit card account. A financial record may have your contact information and social security number, but a medical record can have that, plus your unique medical history including diagnoses, treatments and physical markers. That makes healthcare records more valuable on the black market than other types of stolen data, according to Ponemon.
Healthcare and IT don’t always understand each other’s needs, advantages and limitations, which hinders the industry’s overall ability to secure data. Here are some of the major things that healthcare is doing wrong, followed by some of the things that can help fix their problems.
What healthcare is doing wrong
- Focusing too much on compliance: While HIPAA and the Affordable Care Act are the reasons many healthcare practices finally got onboard with health IT, as the high number of breaches to HIPAA-compliant databases in 2015 prove, compliance isn’t sufficient to protect patients’ privacy.
- Tolerating mobile (BYOD) insecurity: Most doctors are using mobile devices in their work, such as emailing and texting with other healthcare professionals and patients. Many of those smartphones and tablets are personally owned, and many aren’t properly secured and encrypted. If these devices are lost or stolen, personal data is at risk.
- Spending too little on security: Healthcare organizations devote only about 14% of their IT budgets to security, compared to an average of 20% in other industries, CNBC reports. With all that’s at stake, health IT needs to rebalance its budget.
- Not making security a priority across the organization: Too many employees think security is IT’s responsibility, not theirs. But users are the weakest link in security, making mistakes – such as clicking on malware-infected emails or losing their laptops or smartphones – that open the entire organization to threats.
- Making IT systems too complicated or too simple: Users will misuse or ignore IT policies and systems that are too complicated to use, no matter how well-intentioned they are. On the flip side, policies and systems that are focused more on ease-of-use than security can put your data at risk. Balancing security and usability can be more complex in healthcare than other industries, but striking that balance is critical to protect the security of our personal health information.
What healthcare needs to do instead
- Implement comprehensive risk-management practices: Instead of making HIPAA compliance your goal, make that the starting point, then layer on behavioral analytics and other risk-management technologies. IT departments must be able to identify suspicious behavior, from insiders and outsiders, before your data is compromised.
- Use two-factor authentication, but make it easy: Secure logins should be a no-brainer, and two-factor authentication is the minimum to settle for. But speed is of the essence in emergency health situations, so combinations like a scanning an employee badge and iris may be faster than typing a password or using a fingerprint scan, both of which would require healthcare professionals to remove their gloves and compromise sanitary environments.
- Encrypt databases and mobile devices: Data must be encrypted, whether at rest in the database, being accessed by a user, or in transit between a device and storage, to protect the security of that data in the event of a system hack or lost/stolen device.
- Use enterprise mobility management (EMM) systems: Mobile device management helps IT administrators manage and secure all of the mobile devices that access company networks. For example, BlackBerry’s BES12 EMM enables healthcare organizations to set up containerization and end-to-end security to ensure no sensitive information is compromised, no matter what device (operating system, BYOD, company owned, etc.) is used to access data.
- Build a security culture: Anti-malware software, advanced behavioral analytics, encryption and other securities are important, but they aren’t enough. Healthcare organizations need to establish a top-to-bottom security culture, where anyone who accesses data or systems feels personally responsible for maintaining the security of that information. This is partially a training issue, but it’s also a corporate culture issue.
In my last blog, I wrote about how BlackBerry is helping to solve the problem of poor medical device security, and I believe we also have an important role to play in healthcare security across the board. BES12, our enterprise mobility management (EMM) platform that allows administrators to securely manage devices and endpoints across a wide range of operating systems including Android, iOS, Windows, and BlackBerry, has won praise and awards. We’ve also been building out our secure mobility portfolio with acquisitions of Good Technology and other companies that altogether create a complete, cross-platform, secure enterprise mobility solution.
Healthcare has a long way to go to shore up its data security technologies and practices, but all of these things are achievable. And, I’d argue that the importance of protecting patients’ privacy and the integrity of our healthcare system means that we have no choice.
Mobility offers enormous potential for delivering the best quality patient care, but there are a lot of issues to consider in creating a secure mobile healthcare strategy. Our new book, The BlackBerry Guide to Mobile Healthcare, and webinar series help decision makers address some of the key challenges. Click here to get your free copy of The BlackBerry Guide to Mobile Healthcare and visit BlackBerry Enterprise Webcast Central for archived webcasts on Why Home Healthcare Should Go Mobile, Clinical Collaboration and Hospital Staff Coordination and other enterprise topics.