BYOD adoption is hampered by lax security

Michael Keoni DeFranco, CEO, Lua

As a growing number of medical providers use their smartphones and tablets to improve the speed and quality of healthcare delivery, this explosion of portable and largely unsecured devices is leaving patients and healthcare organizations vulnerable to hackers and cyber criminals bent on exploiting patient data for personal gain.

The reason they’re targeted is because the vast majority of healthcare providers haven’t taken the necessary steps to ensure patient data is encrypted. This turns what should be a win-win situation into a lose-lose-lose one; patients could have their data exploited, healthcare organizations face massive fines, and everyone loses if security concerns prevent healthcare providers from taking advantage of the latest technologies to improve the delivery of care.

The threat to healthcare data is real. Some 112 million medical records were compromised in 253 incidents last year – an astounding toll that highlights the vulnerability of our personal healthcare information (PHI), which can be used for insurance fraud, identity theft, or to make money through extortion.

Healthcare providers across the country have struggled to strike the right balance between innovation and security. The upside to portable devices is obvious, and a growing number of providers allow and encourage staff members to use mobile devices, often of the BYOD variety, to share critical test results, consult with colleagues, respond to code blues, and provide emergency notification.

But a recent Sophos white paper reports that only 29 percent of tablets and smartphones used in a healthcare setting are encrypted, and just 22 percent of wearable devices are encrypted. That compares with an encryption rate of 66 percent for healthcare PCs and 70 percent for servers.

These numbers should concern all of us because they highlight the degree to which patient data is vulnerable. But equally alarming is evidence that concerns over data security are turning some providers away from the use of mobile messaging. According to a recent study by secure mobile messaging provider Spok, BYOD usage among healthcare providers actually fell from 88 percent of respondents in 2014 to 73 percent in 2015 in large part due to concerns surrounding data security.

The challenge is made all the more difficult because many legacy technology providers often do not support secure communications via staff members’ personal devices. And finally, healthcare providers have not moved on this issue because they have been required to, until now.

This is because according to HIPAA, encrypting health data is “addressable” rather than “required.” This means healthcare groups must assess whether encryption is “reasonable and appropriate” given an organization’s systems, policies, and practices. But given the rapid growth in use of portable devices and the growing number of thefts of those devices, the Department of Health and Human Services Office for Civil Rights is now signaling that it expects to see healthcare organizations adopt secure mobile messaging platforms to protect PHI. Failure to do so could now result in penalties of as much as $50,000 per violation.

The OCR is expected to soon show its enforcement teeth once again as it implements its next round of HIPAA compliance audits during the next several months.

But the risk of fines pales in comparison to the other forms of damage that a data breach could cause. Not only would patient privacy be compromised, a severe breach could tarnish a healthcare organization’s reputation. Most importantly, failure to overcome this issue could have a long-term impact on the healthcare system’s ability to innovate and improve the speed and quality of life-saving care.