Encryption a Challenge for BYOD Movement

June 17, 2013
Stage 2 meaningful use calls for encryption of data on end-user devices. With many clinicians, especially physicians, increasingly bringing their own BlackBerrys, iPhones, iPads, Android devices, and other handhelds, into patient care organizations for their personal clinical use, what some term the bring your own device (BYOD) movement, IT leaders could be faced with a challenging situation when it comes to securing these devices.
Stage 2 meaningful use calls for encryption of data on end-user devices. With many clinicians, especially physicians, increasingly bringing their own BlackBerrys, iPhones, iPads, Android devices, and other handhelds, into patient care organizations for their personal clinical use—what some term the bring your own device (BYOD) movement—IT leaders could be faced with a challenging situation when it comes to securing these devices.In a newly released whitepaper, CSC lays out a summary of key provisions in the final rule for Stage 2 meaningful use that include key additions to certification criteria. The paper is authored by Jane Metzger, principal research, and Jared Rhoads, senior research specialist, who both work at the Global Institute for Emerging Healthcare Practices, a division of the Falls Church, Va.-based CSC. The report states, “the new certification criterion requires any EHR technology that stores electronic health information on end-user devices to encrypt such information once it is no longer being actively used. So this applies to how the technology creates temp files, manages cookies, caches data.” Encryption of devices in Stage 2 meaningful use is one step further than the security risk analyses that were required for Stage 1.“Organizations should be encrypting their laptops and tablets they put out there, and even their smartphones that are centrally managed,” says Rhoads.
Jared RhoadsRhoads admits there are challenges with encryption for organizations that have a BYOD policy. “It’s not as easy to push out encryption requirements and capabilities to devices when they’re not centrally managed,” he says. “If you’re one of these organizations that has gone down the BYOD route, it could be a little more tricky when you have a Wild West environment. You’re going to have to offer a few different technologies to enable the encryption on the various devices. I don’t know if that is insurmountable, but as an IT department you’ll have to be a little bit more careful on that score.”Rhoads adds it is actually impossible to push out encryption requirements to some devices. And more challenges can arise when organizations have to rely on the users to install encryption products correctly on their own devices, he says.Device encryption is particularly important in healthcare, an industry that has seen 407 breaches involving 500 or more people and more than 19 million individuals affected in the three years since the HITECH Breach Notification Rule, according to a report from CPA professional association Kaufman, Rossin & Co. In 2010 alone, more than 7 million records have been compromised through breaches. According to the Ponemon Institute, the No. 1 cause of a data breach in 2011 was lost or stolen devices. Rhoads says that number could even be as high as 70 percent today.Stay tuned for a more in-depth report on lessons learned from organizations that have suffered data breaches in the October issue of Healthcare Informatics.

Sponsored Recommendations

How Digital Co-Pilots for patients help navigate care journeys to lower costs, increase profits, and improve patient outcomes

Discover how digital care journey platforms act as 'co-pilots' for patients, improving outcomes and reducing costs, while boosting profitability and patient satisfaction in this...

5 Strategies to Enhance Population Health with the ACG System

Explore five key ACG System features designed to amplify your population health program. Learn how to apply insights for targeted, effective care, improve overall health outcomes...

A 4-step plan for denial prevention

Denial prevention is a top priority in today’s revenue cycle. It’s also one area where most organizations fall behind. The good news? The technology and tactics to prevent denials...

Healthcare Industry Predictions 2024 and Beyond

The next five years are all about mastering generative AI — is the healthcare industry ready?