Getty Images/iStockphoto
Mobile Devices in Healthcare Increase, as Do Security Challenges
Healthcare organizations are using mobile devices in greater numbers to improve productivity and patient experience, but these same devices can increase risks for a PHI breach.
Healthcare organizations are deploying mobile devices in greater numbers to improve employee productivity and patient experience.
In fact, 90 percent of healthcare IT decision-makers surveyed recently by Vanson Bourne said their institution is implementing or intends to implement a mobility program. Nearly half of the 600 respondents said they plan to increase mobile device usage within the next two years.
Respondents are using or plan to use mobile devices at nursing stations, administrative offices, and patient rooms, as well as for clinical care teams and administrative staff.
Wearables, too, are gaining popularity in healthcare. According to the Deloitte 2018 Health Care Consumer Survey, in the past five years, the number of U.S. consumers monitoring their health with wearable devices has more than doubled. Of the 4,530 respondents, 60 percent said they’re willing to share PHI-generated data from wearable devices with their healthcare practitioners to improve their health.
At the same time, mobile device security is a top concern when planning mobile programs. And these security concerns are justified, according to the Office for Civil Rights.
“Anyone with physical access to such devices and media, including malicious actors, potentially has the ability to change configurations, install malicious programs, change information, or access sensitive information — any of these actions has the potential to adversely affect the confidentiality, integrity, or availability of PHI,” warned OCR in its August 2018 Cyber Security Newsletter.
The federal agency stressed that policies and procedures are required by HIPAA to limit physical access to mobile devices. Healthcare administrators are also required to track movement of these devices around healthcare facilities.
Unfortunately, healthcare organizations and workers aren’t keeping pace with the rapid increase of mobile use for healthcare in terms of their security knowledge and policies.
The consequences of this lack of knowledge can be costly.
“Patient information collected, stored, processed, and transmitted on mobile devices is especially vulnerable to attack,” stated the National Institute of Standards and Technology (NIST) and the National Cybersecurity Center of Excellence guide, Securing Electronic Records on Mobile Devices.
“Healthcare providers increasingly use mobile devices to store, process, and transmit patient information. When health information is stolen, inappropriately made public, or altered, healthcare organizations can face penalties and lose consumer trust, and patient care and safety may be compromised,” the report noted.
Stolen healthcare data can be extremely costly to organizations. A 2018 IBM-sponsored Ponemon Institute study estimated healthcare data breach costs average $408 per record, the highest of any industry and nearly three times higher than the cross-industry average of $148 per record.
The study assessed contributing costs surrounding a breach. These included investigations, public and customer notifications, legal fees, regulatory actions, and lost business and reputation. The length of time it took to identify and stop a data breach also factored in, as did investments in technologies to accelerate response time.
"The truth is there are many hidden expenses which must be taken into account, such as reputational damage, customer turnover, and operational costs. Knowing where the costs lie, and how to reduce them, can help companies invest their resources more strategically and lower the huge financial risks at stake," wrote Wendi Whitmore, global lead for IBM X-Force Incident Response and Intelligence Services.
HIPAA fines have definitely contributed to healthcare data breach costs. Since the HIPAA Privacy Rule took effect in April 2003, OCR has assessed close to $80 million in fines in 55 cases, according to data on the HHS website. One of the largest fines ever assessed, $4.3 million, was levied on MD Anderson Cancer Center for failing to encrypt its inventory of devices, resulting in breaches of unsecured ePHI when a laptop and two thumb drives were stolen.
There’s no question healthcare organizations are employing mobile devices in greater numbers for a variety of purposes. However, these consumer-oriented devices were not designed to secure sensitive information such as PHI. To prevent costly data breaches that can result in hefty HIPAA fines, healthcare organizations need to ensure the PHI transmitted and stored on those devices is secure.