In today’s world, many people have a smartphone, and many also carry a tablet. A majority of these people use their devices to access information related to work, whether it’s an email, PDF or spreadsheet, which has made bring-your-own-device (BYOD) security a concern for many industries and organizations – and the healthcare industry is certainly no exception.
In the world of healthcare, doctors and nurses don’t sit in front of a computer all day. They are constantly on the go, treating patients, reviewing charts and files, and conferring with other departments and colleagues. For this reason, healthcare organizations feel the impact of the BYOD phenomenon. Healthcare chief security officers (CSOs) face some of the most pressing BYOD challenges.
In fact, according to a recent study published in Fierce Mobile Healthcare, 89 percent of U.S. healthcare workers use their smartphones for work purposes. In an industry that is always on the move, BYOD makes perfect sense for physicians, who can access information while walking from one patient’s room to another or from one hospital or clinic site to another. Being able to quickly access information, record observations and take notes easily speeds up their ability to help patients. While there are many secure applications that contain data, CSOs also need to factor in non-secure, unstructured data such as blood tests that can be saved and sent as PDF files.
As patients, we begin to wonder what sort of information is accessed and stored on a physician’s device. If patient records are stored on the device and it is lost or stolen, would it be easy to access a patient’s personal information? We cannot expect doctors to put away their tablets at a time when speed of information is essential to providing quality patient care, but healthcare CSOs can no longer ignore the resulting requirement associated with securing data at the source. One way to do that and still provide the benefits of mobility for healthcare workers is to provide access to patient information through a secure Web portal, which requires a login and password to access the data. Should a device be lost or stolen, the risk of unapproved access is mitigated by the fact that there is no data stored on the device itself. Another way to address this concern is to virtualize the environment so the data can be securely accessed but not stored on the device.
Employing these strategies correctly means healthcare organizations must evaluate risk factors for data. In order to ensure this is done correctly, it’s important to look beyond the data at the context of the user’s risk level. For example, if a set of data is assigned a mid-level risk classification and the user requesting access is in a role assigned a high-level risk classification, it’s likely that elevated risk should be factored into whether or not that user is granted access. In cases of elevated risk, CSOs also can establish a second factor for authentication, adding yet another level of security.
Imagine preparing for a vacation for which you need to see a doctor for immunizations – the doctor would take into account the data on your travel destination to see if there are reports on disease outbreaks that require immunization. However, a good doctor would look beyond the data to get better context for assessing the potential risks you could face on your trip. For example, your doctor would ask if you are only planning to go to a tourist resort, or are you going to engage in riskier activity like a four-day jungle trek?
In today’s healthcare industry, it’s important for CSOs not only to concern themselves with the risks surrounding their data access policies, but also to consider the context of a user’s role and accompanying entitlements. This will give them the full picture they need to appropriately evaluate their security policies related to data access and continue to allow healthcare workers to deliver the highest quality and most accurate patient care.
About the author
Jamie Manuel is identity and access management analyst at Dell Software, where he is responsible for driving the go-to-market plans for the Quest One Identity Solutions portfolio. To learn more about Dell’s Quest One Identity Solutions, go to www.quest.com/identity-management.