BYOD causing big IT headaches

When it comes to security, device apps are clear and present danger

“There’s an app for that” may be an effective marketing phrase, but don’t expect hospital security officials to appreciate it. The proliferation of personal devices and the apps that drive them is one of the biggest security concerns to hit healthcare in the digital age.

Known as BYOD – “bring your own device” – the new environment exists due to the pervasiveness of personal mobility devices among healthcare professionals in recent years. The devices have become well entrenched in a very short time, as studies show that approximately 80 percent of healthcare workers currently use a personal mobile device, whether smart phone or tablet.

The situation is a double-edged sword, with mobility giving clinicians the ability to access healthcare data at anytime from anywhere, but the flurry of unchecked apps also create an air of hospital IT vulnerability to security breaches, intrusive malware, viruses and worms.

“This issue is a huge challenge and the industry needs to get out in front of it,” says Chris Bowen, chief privacy and security officer for Tempe, Ariz.-based ClearDATA. “It is a situation that needs to be controlled.”

Therefore, hospitals need to implement a BYOD strategy, security specialists say, but it can be a complex process. If not implemented correctly, they contend it can potentially expose protected health information and actually create a greater risk of data breach.

“The first step is to assess risk before implementing any BYOD strategy, said Ron Sadowski, director of technology solutions for the RSA Security Management division of Hopkinton, Mass.-based EMC. Sadowski made his comment at a recent security panel discussion sponsored by Health IT Outcomes.

“Data sprawl is the biggest problem and, in terms of priority, it should rate the highest.”

The next step is to focus on the data that isn’t being controlled, but should be, Sadowski said.

“Figure out how it is outside the controls and prioritize accordingly,” he said. “PHI (personal health information) is the most valuable information and is the most vulnerable. Use that to guide your efforts.”

Device ‘infiltration’

Mark Roberts, manager of mobile technology at Yale New Haven (Conn.) Health, also participated in the panel discussion and summed up the challenge that healthcare organizations are facing with the app situation: “We had to conduct the risk assessment after the devices had already infiltrated the organization.”

The Yale New Haven security team examined the types of devices that were out there and the type of data they were accessing, Roberts said. After making a determination, he said the team initiated a BYOD policy governing how data could be accessed, security requirements for which devices are acceptable and then published the information for everyone affected.

“Once we got our arms around it, we revisited it and tweaked it appropriately in that manner,” Roberts said. “We have a lot of consolidation going on and there are different policies and security models within the organization, but we are standardizing everything.”

The text threat

Siva Subramanian, senior vice president of mobile products for Los Angeles-based Zynx Health, says he doesn’t see mobile apps as a true security threat.

“They are a transformation of healthcare delivery – it has become a largely mobile industry,” he said. “It is an additional layer of complexity that CIOs need to manage.”

Text messaging, on the other hand, presents a greater danger, Subramanian says.

“The elephant in the room is texting,” he said. “CIOs may have pretended it’s not happening, but it is and they can’t ignore it anymore.”

Texting is vulnerable on several fronts, Subramanian says – there are no log-ins or credentials required, no authorization is needed to access information and texts can easily be sent to the wrong person.

Zynx has a program called Context Messaging, which is HIPAA compliant software designed to take guesswork out correspondence by identifying care team members and correlating health information with each patient.

Ongoing challenge

While the news is dominated by massive data breaches at major retailers, Sony Pictures and Apple’s iCloud, Bowen maintains that most security missteps in healthcare are due to ordinary carelessness – lost devices and lack of sufficient encryption. And while it would be easy to blame complacency, Bowen doesn’t believe that is the reason for breaches in healthcare.

“The industry is enduring a massive shift in technology, from EHRs to getting physicians up to speed on data automation,” he said. “Then there is the evolution to ICD-10 and the overall squeeze on margins in healthcare, which is causing security to be overworked, under-sourced and needing help with basic elements of defense and depth. It is a swale you don’t want to sail into.”

Cloud safety?

Despite the headlines caused by the iCloud breach, Bowen maintains that cloud security is tight for the most part.

“You’d be surprised at how secure they are,” he said. “If you really look at it, a purpose-built cloud can be more secure than an on-premises server.”

Across the healthcare industry, organizations are increasingly embracing the cloud and trusting its security, confidentiality and reliability, Bowen said.

“We’ve had some major healthcare organizations become clients in the past year or so,” he said. “We’ve seen a huge uptick in interest in the cloud.”

Topics: Cloud Computing, Mobile, Policy and Legislation, Privacy & Security, BYOD, Electronic Health Record (EHR)

February 19, 2015