The healthcare industry's track record on protection of patient data remains disturbingly poor, even after more rigorous federal regulations took effect in 2009, say two recent reports. And it may get worse before it gets better if the industry does not find a better way to protect the patient information carried with smartphones.
A report issued last week by the Health Information Trust Alliance (HITRUST) found that data breaches at hospitals and health systems declined between 2009 and 2012, but increased in smaller physician practices, which accounted for more than 60% of the 459 breaches analyzed.
Those breaches involved more than 500 people, but HITRUST also found that as of May 2012 there had been 57,000 incidents involving fewer than 500 people.
A second study, by the Ponemon Institute, found that 94% of healthcare organizations reported at least one data breach during the past two years. Forty five percent reported more than five breaches.
Both studies found that the most common causes of the breaches were not from hacking or malware but the loss or theft of devices and employee errors. The HITRUST report found that only 8% of the breaches were caused by hacking and/or malware.
And, as is true in just about every other sector of the economy, the smartphone is becoming ubiquitous, which means employees using their own personal smartphones for work, known as BYOD (Bring Your Own Device), is a fact of life. Ponemon reported that 81% of its survey respondents said they allowed BYOD to access organizational data, and 54% said they were not sure if those devices were secure.
HealthcareITNews reported last week that a survey from Spyglass Consulting Group found that, "more than two-thirds of hospitals surveyed for a new study reported that their nurses use their personal smartphones while on the job for personal and clinical communications ... [but] IT support for those devices is lacking."
[Related news: Google's Android app scanner falls short in security test]
Sarah Kliff reported recently in the Washington Post's Wonkblog that doctors emailing with their patients is becoming increasingly common.
That means that the industry needs to pay particular attention to smartphones, wrote Art Gross at the HIPAA Secure Now blog. In a post titled, "Your Smartphone Will Cause Your Next Data Breach," Gross aims his argument at healthcare workers who don't think they have any patient information on their smartphones.
"Smartphones can be used to access EMRs [electronic medical records], PACS [picture archiving and communication system], to provide remote access to [spreadsheets and documents] and run thousands of applications that may contain patient information," he wrote.
The risk is there even if a worker only uses a smartphone for email. "In many healthcare organizations, email is used as a communication vehicle, [and more and more email may contain information about patients," he wrote. "Healthcare organizations use email to communicate patient test results, follow-up conversations with patients, recommended prescriptions, etc."
And even if email is used only for internal communications, and not with patients, "all those emails with patient information end up in your inbox. Your inbox is then replicated to your smartphone," Gross wrote.
If the phone is then lost or stolen, the patient data is breached. The Ponemon study said the combined cost of data breaches to the healthcare industry is nearly $7 billion annually.
Gross said that at a minimum organizations should limit the amount of patient information in emails, mandate a start-up password plus an inactivity timeout, and require data encryption.
Troy Gill, senior security analyst at AppRiver, said technology is available today for most devices to tackle key security issues. "Enforcement of password locking and remote data wipe are critical -- both of which can be achieved through [Microsoft] ActiveSync or BES [BlackBerry Enterprise Server], as well as third-party [Mobile Device Management] solutions," he said.
Gill said another key step would help: "Corporations should require a VPN [Virtual Private Network] connection when accessing their networks from any device.
"And, since most of the mobile malware that is being discovered lately has been coming in the form of malicious app installations, companies may consider limiting the types of apps that can be used on a company device," he said.
Chris Gray, Accuvant LABS practice manager, agreed that remote wiping capability is critical. "[It] can not only prevent data loss but also provide organizations with the ability to assure their management that the loss event does not require further legal or compliance mitigations."
Chris Petersen, CTO of LogRhythm, is not surprised that smaller organizations are much more vulnerable to data breaches. "Many smaller practices barely have a full-time IT staff much less someone focused on security," he said. "They should look to service providers and [resellers] that can recommend technology and approaches that reduce risk with a cost they can afford. Fortunately there are a lot of good solutions, many of them affordable."
But until they can bridge that security gap, using personal devices at work can be too dangerous. "They might be well served to ban BYOD," he said.
All of the experts agree that smartphones will continue to be lost and stolen. "There is no fix for this," Petersen said. "If organizations don't have the proper technical controls in place, they will be helpless when it comes to ensuring a lot device doesn't mean lost personal information."
Gray said the loss of mobile devices is a given, and that organizations should develop a multi-tier approach to dealing with this issue, that includes encryption, remote wiping and educating employees to report a loss or theft immediately.
Gill agreed, noting what's at stake. "It's much more cost-effective to make sure you have an effective way to protect the data that's on them, which in most cases is far more valuable than the devices themselves."