Bringing Your Health IT Clients Breach-Fighting Tech
By Megan Williams, contributing writer
One of the most painful aspects of a data breach for your healthcare IT clients is the reporting requirements, leading to both financial penalties and loss of reputational trust. Address this issue with them by taking some time to introduce them to this list of technologies from the Institute for Health Technology Transformation that can mean fewer reporting obligations, even if a breach does occur.
Encryption
Encryption is perhaps the most elemental level of protection against data breaches, but still, a full 41 percent of organizations do not use it as a form of protection. This is largely due to cost and difficulty around implementation, as well as HIPAA not requiring it.
The perception of inconvenience is a big factor, with users complaining that logging on to an encrypted laptop can take 5 to 10 minutes, and while use is getting better, the same complaints and worse are being heard about tablets. According to the CISO at a major Northern California health system: “Many healthcare organizations still are not encrypting hard drives on their laptops. That’s a necessary precaution to take, and it’s not expensive anymore. Having an appropriate encryption management process is the key to making sure you don’t have a breach when these devices are lost.”
Endpoint Management
BYOD (bring your own device) is a popular policy, bit it’s one fraught with risks.
Health systems like Denver Health have implemented mobile device management (MDM) software to address the wide range, and varying levels of security that come with having a BYOD policy in a system. Lance Mueller, director of forensics for Executive Forensics, stresses the importance of mandating MDM in BYOD environments, emphasizing that no employee should be permitted to use a personal device unless it has some sort of MDM program in place.
Endpoint Security
Endpoint security solutions work on desktops, laptops, smartphones, and tablets, and offer functions including:
- governance through remotely monitoring and controlling devices
- risk management through alerts around predefined conditions
- compliance through the use of certificates and reports as proof of security standards when a device is stolen or lost
Endpoint security solutions allow for the location monitoring of mobile devices, so that if one is misplaced, or lent to an unauthorized user, it can be located … a useful ability in the case of, and in deterring theft. They also allow IT departments to detect whether device encryption is working, and whether the device has been accessed by anyone other than the authorized user.
The report stresses the lack of perfection of any security system, and the importance of an integrated approach that depends on no single component.