By Paul Martini, CEO of iboss Network Security
The year 2014 will be challenging for healthcare IT providers. The regulatory landscape is both more complex and stringent, with HIPPA compliance a key priority. To further complicate matters for healthcare IT providers, employees are introducing new applications, mobile devices, and mobile work habits that disrupt the ways security and privacy are traditionally managed. This combination of external forces, the need for compliance and the emergence of employee “Shadow IT,” forces providers to seek a balance between security for the organization and privacy for personal data.
Here are four critical areas to evaluate when balancing security and privacy as a healthcare IT provider:
Mobile devices are perhaps the most impactful force that today’s healthcare providers are confronting. The BYOD movement is bringing in a large volume of devices that are accessing the network — as well as moving data in and out of the network — that traditional security tools cannot monitor or understand. All devices on a network must be managed from a security standpoint. However, since healthcare institutions do not own all devices brought in to the organization for use by employees, the topic of privacy has become a hot button — both the staff’s privacy and any patient data they may inadvertently leak.
The biggest mistake a provider can make is to operate traditional security and mobile security in silos. BYOD should be a primary component of any security policy, so that that the two operate in tandem toward the same goals. Healthcare IT providers can deliver a value-added service by offering device-aware visibility across a network. This involves identifying activity of a user, regardless if it is on a desktop, tablet, or mobile phone. With proper policies in place, this level of visibility can be maintained while within the network, and then switched off when staff leaves the network.
In this changing environment, healthcare IT providers must protect flexibility to address the needs and concerns of all stakeholders. Emerging security tools are now able to enforce policies without the use of data decryption, which is especially helpful when employee and patients’ personal data is on the network. In this manner, IT providers only decrypt data when necessary and thus address privacy concerns. Of course, these tools must still enforce security standards. To do so, they apply policies to user groups even if the data is encrypted. This is what allows for selective decryption of data that needs to be inspected further, finding the right balance between privacy and security.
One of the most challenging areas for both security and privacy is the widespread use of social media. Although it started as a personal activity, its influence has overflowed into professional settings. In the healthcare environment, an accidental posting of a picture of a patient’s room can be considered a breach of patient data — a privacy violation with serious consequences.
IT providers should deliver security solutions and advise on policies that cater to staff use of social media. One tactic is to restrict access to social media sites or image sharing sites for specific locations in the building. In the above scenario, this policy would prevent staff from accidentally posting anything to Facebook when located in a patient’s room. This type of location-specific security setting offers an alternative to simply blocking or restricting access, and instead, focuses on enabling secure access while still protecting patient data privacy.
The biggest security problems that occur in today’s healthcare environments are usually the easiest to avoid or prevent because most security violations are not intentional. Consider a nurse who needs to send a large file to a doctor. If the internal IT infrastructure cannot handle the file size, the nurse may choose to transfer via a personal Dropbox account. From a productivity perspective, this makes sense. However, the implications of doing so could translate to a HIPPA violation and even the nurse’s job.
To address this, healthcare IT providers need to invest in compliance education of hospital staff, sharing critical information regarding the organization’s security policy as well as regulatory compliance requirements. For example, organizations should train staff on using various cloud-based services, such as DropBox, that may be in conflict with compliance regulations, directing them toward proper use as outlined by the organization’s security policy.
The demands for security and privacy can seem daunting to healthcare IT providers; however, this demanding environment is innovating the next stage of security technology. A network no longer resides within four physical walls, and healthcare IT providers have the opportunity to add greater value by addressing these dramatic changes in the areas of mobility, flexibility, social savvy, and education.