Skip Links

With BYOD, data breaches just waiting to happen

Smartphone insecurity means healthcare patient information, for one, remains at high risk, studies find

By Taylor Armerding, CSO
December 12, 2012 08:05 AM ET

CSO - The healthcare industry's track record on protection of patient data remains disturbingly poor, even after more rigorous federal regulations took effect in 2009, say two recent reports. And it may get worse before it gets better if the industry does not find a better way to protect the patient information carried with smartphones.

Get ahead of the BYOD wave

A report issued last week by the Health Information Trust Alliance (HITRUST) found that data breaches at hospitals and health systems declined between 2009 and 2012, but increased in smaller physician practices, which accounted for more than 60% of the 459 breaches analyzed.

Those breaches involved more than 500 people, but HITRUST also found that as of May 2012 there had been 57,000 incidents involving fewer than 500 people.

A second study, by the Ponemon Institute, found that 94% of healthcare organizations reported at least one data breach during the past two years. Forty five percent reported more than five breaches.

Both studies found that the most common causes of the breaches were not from hacking or malware but the loss or theft of devices and employee errors. The HITRUST report found that only 8% of the breaches were caused by hacking and/or malware.

And, as is true in just about every other sector of the economy, the smartphone is becoming ubiquitous, which means employees using their own personal smartphones for work, known as BYOD (Bring Your Own Device), is a fact of life. Ponemon reported that 81% of its survey respondents said they allowed BYOD to access organizational data, and 54% said they were not sure if those devices were secure.

HealthcareITNews reported last week that a survey from Spyglass Consulting Group found that, "more than two-thirds of hospitals surveyed for a new study reported that their nurses use their personal smartphones while on the job for personal and clinical communications ... [but] IT support for those devices is lacking."

[Related news: Google's Android app scanner falls short in security test]

Sarah Kliff reported recently in the Washington Post's Wonkblog that doctors emailing with their patients is becoming increasingly common.

That means that the industry needs to pay particular attention to smartphones, wrote Art Gross at the HIPAA Secure Now blog. In a post titled, "Your Smartphone Will Cause Your Next Data Breach," Gross aims his argument at healthcare workers who don't think they have any patient information on their smartphones.

"Smartphones can be used to access EMRs [electronic medical records], PACS [picture archiving and communication system], to provide remote access to [spreadsheets and documents] and run thousands of applications that may contain patient information," he wrote.

The risk is there even if a worker only uses a smartphone for email. "In many healthcare organizations, email is used as a communication vehicle, [and more and more email may contain information about patients," he wrote. "Healthcare organizations use email to communicate patient test results, follow-up conversations with patients, recommended prescriptions, etc."

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News