Why Healthcare BYOD Must Strive for Surgical Security


By David Abbou - Jan-15-2015

Enterprise mobility and BYOD culture can be seen as both the future for business communications as well as one of its most complex change management challenges.

But as daunting as it may seem to effectively implement a secure BYOD policy in the private sector, those trials pale in comparison to the healthcare sector, where mobile security risks can quite literally be a matter of life and death.

In an industry which requires using more equipment and devices than most, the convergence of smart technology, automation and sensitive patient and medical data can be viewed as the perfect storm for BYOD security failures. You’d be hard-pressed to find a sector where the challenges and the stakes are at such a peak. Data breaches and medical device malfunctions span the compliance and liability spectrum, carrying with the, significant financial and legal repercussions.

If there’s an industry to watch in 2015 and see just how it can progress in overcoming mobile security hurdles this is the one. In the coming years, will it become a model for best practices in terms of security infrastructure planning? Or will it constantly supply the greater IT community with one worst-case scenario after the next?

Finding sustainable solutions requires understanding the industry’s largest concerns and from where they originate.

A mobile workforce equals more devices at risk

Doctors and other healthcare practitioners embody the word mobile like no other. A massive part of the healthcare workforce, be it full-time, part-time or contract staff, are constantly moving from one medical facility to another, and they are expected to deliver analyses, diagnoses and treatment plans in a relatively expeditious manner. Therefore, they’re perpetually accessing medical and patient data while on-the-go. And expectedly, this leads to many lost and stolen devices. Cloud security broker Bitglass published a Healthcare breach report in 2014 that revealed lost and stolen devices lead to 68 per cent of all data breaches in the industry since 2010. Too many of these devices are not even sufficiently protected by basic passcodes and other security settings that users can apply. It’s clear that healthcare providers need to devote more resources not only to security, but to educating practitioners and instilling a sense of urgency to protect PHI (Personal Health Information) on their devices. Electronic health records are worth 50 times the black market value of a credit card because medical and patient demographic data can’t be cancelled and remains valuable to thieves well after their theft is reported. Data breaches violating HIPAA legislation will run the provider a $50,000 fine the first time. The next time an identical violation occurs, the fine can be as high as $1.5 million. This doesn’t include lawsuits which can be even more lucrative. The need for a robust communications program to educate all applicable staff on why they must be mindful of these risks and how to employ security measures on their personal phones should not only be mandatory, it should require follow up sessions to verify that staff are applying these practices.

So many sign-ons, so little time

Imagine having to log in repeatedly to several different electronic medical databases, applications from several different PCs and devices all in the same day. Now imagine that each log in process for each client can take up to seven minutes just to complete. That should give you an idea how excruciatingly complex a practitioner’s workday can be, and how this also slows down their ability to service patients, resulting in stress and dissatisfaction for everyone involved. Lack of IT standardization to date means that each medical facility is usually using a different application to record and store patient data. This presents a unique integration challenge. But implementing a single-sign on system is fast becoming another necessary investment for the industry as its reliance on IT and mobility increases. Moreover, vertical solutions that are tailored to the unique data management and security needs faced by healthcare will be ever-present going forward. The key for organizations will be learning how to evaluate all of these offerings and accurately assess how they solve not just one set of problems but the bigger picture which encompasses both service delivery and data security.

Unique problems require unique solutions

While many corporations have turned to Mobile Device Management (MDM) solutions in recent years, the fragmented nature of the healthcare continuum severely undermines the workability of such systems. That’s because doctors working for multiple providers would need to give control of all of their applications and data to one organization. The reality of so many personally-owned devices accessing multiple applications means that healthcare organizations should prioritize data security, not device security. Virtualized solutions have emerged which manage all apps and data on a secured cloud or on-premise server. Not allowing any medical data to be stored on staff devices in the first place addresses not just lost or stolen devices. It also removes the weakest link – or easiest target – for hackers and other security threats to exploit.