Friday, April 12, 2013
Healthcare organizations should focus security efforts on data, expert claims
In the past few years, the role of data for healthcare industries has greatly expanded. New, advanced tools produce more monitoring and other medical information than ever before. With the rise of electronic medical records (EMRs), this information can be accumulated, stored and shared with relative ease, allowing physicians, nurses and other personnel to make better informed patient care decisions.
While the advantages of this trend are enormous and varied, there are also a number of challenges which healthcare providers must overcome to maximize the utility of the digitization and expansion of medical data. Most notably, care providers must take pains to ensure that this medical information is always secure. If this data is ever stolen or exposed, affected individuals will be at risk of becoming victims of identity theft or fraud. The organization in possession of this information may face financial or other penalties from regulatory bodies.
Mobile devices are one of the most common culprits of these types of data breaches. Consequently, they are a primary area of focus for many healthcare organizations. However, according to industry expert Barbara Bartley, the key to successful data protection in the healthcare industry is to focus on data, not devices, Health IT Security reported.
Data over device
Speaking to the news source, Bartley, who serves as executive director of IT operations and information security officer of Baptist Health in Montgomery, Alabama, explained that it is difficult, if not impossible, to impose a sufficient level of control over employees' mobile devices to ensure data security. Instead, hospitals and other healthcare providers should focus on protecting the data itself.
Bartley noted that examples of this approach include efforts to encrypt all emails and other messages that are sent and received by personnel via mobile devices and use auditing tools to ensure that red flags are raised if users engage in risky, insecure behavior.
The importance of a data-centric attitude toward security is increasing as more healthcare organizations begin to rely on bring-your-own-device (BYOD) deployments. Bartley pointed out that while Baptist Health does not have an official BYOD strategy in place yet, she is aware that personal devices are being used by employees to access critical health data. It is therefore essential to ensure that BYOD-specific tools are utilized by the organization.
As Bartley emphasized, a focus on end users is absolutely essential for any successful, secure BYOD program.
"Our biggest security asset is the end user and our biggest security challenge is the end user," she explained, the news source reported.
This state of affairs requires a two-pronged approach from personnel. First, the organization must invest in secure file sharing tools that require minimal additional effort from end users. If the process is too burdensome, employees will inevitably seek ways of circumventing it, thereby putting the firm's information at risk of exposure.
Additionally, as Bartley explained, organizations must also ensure that employees receive the training and education needed to understand and implement data-protection best practices when using mobile devices.