With medical records worth 10 times more than a credit card number on the black market, health organizations need to develop a secure bring-your-own-device (BYOD) strategy to keep cybercriminals at bay. According to the latest account from the Identity Theft Resource Center, 40 healthcare breaches have taken place so far this year, exposing over 1 million records.1 To help put these breaches into context, consider this: Health organizations have suffered more breaches this year than banking, education, and government organizations combined. This is due to the increase in patient monitoring systems and wearable/smart devices, which create more data but also more opportunities for hackers to steal sensitive information.
With the increase in data generation and data leaks, the industry has to adapt and evolve. For example, the Department of Health and Human Services is building a healthcare industry cybersecurity task force in an effort to improve preparedness for cybersecurity threats affecting the healthcare industry. In addition, HIPAA compliance standards are becoming stricter, with enforcement and penalties coming more swiftly.
In response, health organizations need to create and enforce secure BYOD policies for protected health information (PHI) and avoid hefty fines. Healthcare organizations, namely their executive teams and IT departments, need to be proactive about cybersecurity. With the emergence of smartphones, tablets, and wearables in healthcare, organizations need to think like a hacker when it comes to establishing a secure BYOD initiative. Below are three considerations health organizations and providers should prepare for when adopting a BYOD program.
1. Provide employee training for cybersecurity awareness
According to a recent PwC report, thee-quarters of large organizations experienced an employee-related data breach in 2015.2 Sadly, half of the most damaging breaches were the result of human error. Unintentional data breaches can be largely mitigated through consistent and comprehensive employee training. There are a number of benefits inherent for employee cybersecurity training. Obviously, it helps decrease the likelihood of careless errors when handling sensitive data. Second, it reinforces for employees that management lists data security as a top priority, and therefore employees should as well. Third, it instills in employees the value of protecting patient and employee information, namely, better training means fewer breaches and safer, happier customers. Lastly, employee training sends the message to staff that management values their staff and is willing to provide them with the tools they need to be successful.
To start, training should specifically highlight cybersecurity awareness, as hackers are continuously developing new methods of stealing sensitive data. The training should include topics such as email security best practices, as well as the importance of strong passwords and secure methods of handling sensitive information. In addition to periodic training sessions, an ongoing support system from IT that has the full support of management ensures that employees have the resources and education required to make smart decisions when handling PHI.
2. Develop and enforce policies for using dated applications
Dead or stale apps – apps that are no longer supported by developers but still sit on your personal device – present an open door for hackers. Thankfully, there are precautions organizations can take to protect the increasing amount of sensitive data that resides on a mobile device. For starters, employees should regularly update apps when newer versions are made available. Alternatively, if employees no longer need or use a particular app, encourage them to delete it from their device.
IT departments can also establish and enforce a mobile app whitelist to manage which apps are safe and approved for employees to download. The intention of the app whitelist is to help control how healthcare workers access PHI on mobile devices and desktops. If properly followed by healthcare employees and enforced by IT, the whitelist will ensure that users never jeopardize PHI by using questionable, insecure, or infected apps to access patient records – regardless of whether they are stored on the device or within the organization’s network.
3. Ensure secure storage and transfer with ownership of encryption keys
Whether information is being stored on and accessed via smartphones, laptops, tablets, or wearables, organizations should be aware of the risks of inadequate encryption. Managing and maintaining encryption keys is necessary for ensuring data housed on these devices remains out of the hands of cyber criminals.
Rather than focusing on the strength of an encryption algorithm, organizations may be better served focusing on where encryption keys are held and managed. Should a healthcare organization entrust their encryption keys with a third-party, public cloud storage provider who is obligated to decrypt and share PHI should intelligence or law enforcement agencies ask for it? As you would never share your house key with a stranger, the same concept should be applied with encryption keys.
A private cloud storage solution is the best way to guarantee exclusive ownership of encryption keys and therefore the best option for maximum protection and control over a healthcare organization’s data. Private cloud solutions also enable IT departments to establish their own security parameters rather than having to adhere to those established by the cloud storage provider.
With a costly data breach occurring almost every day, it’s imperative that health organizations invest considerable effort in developing adequate policies, training, and solutions to ensure PHI is properly and safely stored, accessed, and shared. It only takes one attack for an organization to incur heavy costs and damage to their reputation. Health organizations need to develop, monitor, and continually enhance BYOD policies and internal systems to safeguard PHI so that they can stay a step ahead of the next cyberattack.