As Mobile Devices Proliferate, Securing Data Becomes Critical

February 14, 2011
Ed Rabinowitz

By now there should be no doubt that the use of smart phones, iPads and other mobile devices have infiltrated the healthcare sector. But the mobility aspect of these devices means that extra steps need to be taken to ensure the protection of the sensitive information within. Note: Hacking is the least of your worries.

By now there should be no doubt that the use of smartphones, iPads and other mobile devices has infiltrated the healthcare sector. According to a recent survey of nearly 950 HIMSS members, more than 25% of respondents plan to deploy the iPad or other iOS devices immediately, and nearly 70% say they will do so within the coming year.

It’s easy to site that as a positive development within healthcare. But Edy Almer, vice president of product management for Safend, a provider of endpoint security solutions, cautions that the mobility aspect of these devices means that extra steps need to be taken to ensure the protection of the sensitive information imbedded within.

“These devices are not only used inside the clinic,” Almer explains. “They’re taken home, taken on the road, and they’re much more likely to be lost than a desktop that your front desk is using.”

Hacking Is Not the IssueAlmer says that accidental disclosure of patient information is a much greater risk than intentional theft. He points out that while cyber thieves will actively go after consumers’ credit-card information, they’re not likely to camp outside a physician’s office trying to steal medical data because it’s not as sellable.

“The real concern is about accidental disclosure and the HIPAA requirements around it for any physician office,” Almer says. “If you lose more than 100 records, you have to announce everybody. That’s a big cost, a big pain, and it impacts on reputation.”

Mike Logan, president and co-founder of Axis Technology Software, a provider of IT consulting and data-security products, agrees that the internal or accidental risks are much greater. “If somebody wants to steal personal data, they’re going to look for places where it’s consolidated and lots of it is stored in one place,” he says. “They’re going to look for the biggest bang for the buck.”

Healthcare, Logan says, still employs a lot of manual processes -- lots of paper. However, as more IT solutions are built to make it easier for healthcare organizations to manage patient history and drug records, the tendency will be to copy that paper data to multiple electronic locations. “Mistakes will happen,” he says, “so what you want to do is mask that data.”

Myriad Methods of ProtectionAlmer suggests that the first place physicians should start when looking to secure patient data is by encrypting and password protecting all mobile devices; even better is making certain to keep as little sensitive data on them as possible. Beyond that, products like the company’s Data Protection Suite, that block and log data leakage in smart phone and tablet programs, can help.

“We separate blocking from logging because at the end of the day, the people making decisions [in a medical practice] should have the freedom to make a decision,” Almer explains. The blocking feature comes into play in obvious situations, such as if one person attempts to transfer hundreds or thousands outside the organization. But where the transfer of fewer records is concerned, such as 10 or 20 patient records, even if something goes wrong and the data is lost, there’s an auditable log indicating that only a small number of records were lost. “You’re keeping the risk way down,” he says.

Logan is a proponent of data masking, a practice that allows the focused, targeted sharing of sensitive data, affording access to the data based on an individual’s role within a healthcare organization. Data masking, he explains, manipulates data so that it’s still usable by doctors and nurses, but cannot be tied back to an individual patient.

“Masked data are useless to a thief because it is out of context, with no way to utilize it outside of the environment,” Logan says. “By using data masking, companies do not have to disclose if there is a breach because the private data is unable to be used by thieves, therefore eliminating the risk to the patient. It’s an effective method to protect against both cyber thieves and accidental losses caused by internal mishandling.”

Leverage Federal Funds for SecurityAlmer points out that physicians looking to better protect patient data should do so by taking advantage of federal money available as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act. “Take the opportunity to upgrade your infrastructure because it’s a good way not just to protect data, but also make it more available to more parties, and automate parts of the process [of information sharing] that will make everything easier and less expensive for you as a practice,” he says.