BYOD and the medical sector are a match made in heaven…and in hell. Consider the possibilities: the elimination (or more realistically, the minimization) of paperwork; the real-time synchronization of patient data; the savings in time, money, and complexity. No wonder 89% of healthcare workers reported using their personal devices at work in a Cisco survey.
But then, consider the consequences: the potential increase in HIPAA/HITECH breaches; the potential loss of reputation from privacy breaches; the increased risk of lawsuits… If an organization in the medical sector is not using MDM and other BYOD solutions but engaging – either officially or otherwise – in BYOD, they’re exposing themselves to a lot or unnecessary risk.
Cisco Survey Reveals Worrisome Stats
According to lexology.com, answers to a Cisco survey of healthcare workers revealed the following (mind you, it doesn’t look like it’s a “rogue” situation where employees are bringing in their own devices against an organization’s policies; these are work environments where BYOD is embraced to a degree or other):
- 89% use personal smartphones for work purposes.
- 41% don’t have a password on their personal device.
- 53% access unsecured Wi-Fi on personal smartphones.
- 86% smartphones are not set up for remotely wipe.
It is further observed by lexology.com that,
Considering how easily smartphones can be used to receive and transmit large volumes of electronic protected health information (ePHI) and how often personal smartphones are lost or stolen, healthcare organizations that utilize BYOD programs without adopting appropriate security measures could be creating a serious privacy risk.
Hear, hear! You’ll recall that one of biggest fines that the OCR/HHS has ever levied involved leaving patients’ documents in the Boston T. The incident compromised the data privacy of 66 patients. Considering how much more information can be stored, carried, and lost on a smartphone, a HIPAA covered-entity (and their business associates. They account for 20% of all HIPAA data breaches, after all) should really be looking into the use of MDM and other BYOD security solutions for smartphones, tablets, external drives, and laptops.
Cloud-based MDM: An Additional Point of Failure?
I have come across situations where HIPAA covered-entities don’t view the use of cloud-based solutions like AlertBoot as a palatable answer to their BYOD problems. Why? Increased risk.
More specifically, the risk of a HIPAA breach stemming from the cloud. It’s understandable: one’s using BYOD and MDM software to lower the risks of a PHI loss. The use of the cloud, however, tends to increase the risk of a breach because the cloud is really a bunch of servers “out there somewhere.” What could be worse for ePHI security than your patient data “out there somewhere”?
But this is only the case if the cloud solution requires the transfer of PHI. With AlertBoot’s MDM – which is cloud-based and completely transparent in terms of cost: i.e., you won’t find any surprise expenditures like having to buy a control server – PHI never leaves a device. Unlike the cloud when used for back up purposes (where PHI must be copied), an MDM solution like AlertBoot’s would never touch the data that’s on a user’s device…unless it has to be wiped remotely.
So, AlertBoot’s cloud-based MDM and BYOD security actually represents a tremendous value coupled with no additional data breach risks.
Related Articles and Sites: