Author Name Patrick Ouellette
When healthcare organizations’ IT and compliance staffs converge to implement a mobile platform for clinical staff users, technical and policy concerns are usually at the forefront of the decision-making process. But there’s also the legal aspect to mobile strategy that helps these organizations weigh the amount of risk involved with allowing clinicians to use mobile devices. Stephen Wu, a partner at the law firm Cooke Kobrick & Wu LLP, works with and advises many healthcare clients that are deliberating the best ways to provide mobile solutions within their organizations and secure the data that runs through those devices.
Wu said that clients feel as though they need to have a good handle on the security of their patients’ information. And from a network perspective, many are trying to segment the network to make sure that mobile devices have certain access limits in comparison to the rights they have on their desktop.
They’re taking a device-centric look at security in the sense that if mobile devices are going with the users when they leave work, the organizations want to ensure they’re protecting the device. And then there’s a data-centric look at security where you say regardless of where the information’s going, if you go outside of the network perimeter or the device, are there still ways we can protect the information? For example, you can use technology that uses digital rights management to, say, create expiration dates for information so even if it goes outside of the perimeter, there would be limits to what someone does with it or how long they can access it.
Some organizations have over-arching policies that apply to everyone in the organization that has a network-connected mobile device and others set specific standards for different parts of the organization. Wu said that these needs have led to customers using mobile device management (MDM) products more than ever. “The reason we’re seeing this mobile transformation where you’re using a MDM program is many organizations are trying to determine whether they should allow BYOD, organization-issued devices or slice and dice so that some groups have BYOD and others have corporate devices,” Wu said. “And an important aspect to this is documenting every decision before going forward with a program.”
When analyzing health data breach trends and the fear that IT staffs have of staff losing mobile devices that have patient data or have access to that data, one common theme is lack of encryption. Just like everyone else, Wu is still trying to understand why every organization doesn’t encrypt all of their data, especially mobile data. He agrees that it seems as though the technology is affordable, the penalties are well-known and data breach stories are very common. So what’s holding people back?
There are a lot of different factors, such as changing workflow and cost, but people know better now so there’s no reason not to do it. And when you factor in all the costs associated with a data breach and when someone like the Ponemon Institute says that it costs $250 per record compromised, it doesn’t seem like it’s worth it to leave information unencrypted.
Hearing from Wu on healthcare client interests in mobile security is interesting because it shows that these organizations are leaving no stone un-turned when it comes to finding the top ways to secure their patient data.