With more than 30 million individuals having been affected since 2009, healthcare data breaches are swiftly becoming one of the more costly expenses to healthcare organizations everywhere. If you would like to take a look at the highlights, just visit the Department of Health and Human Services’ Office for Civil Rights “wall of shame”, for a list of every breach affecting more than 500 people. The current tally is just over 900. Not surprisingly, the most common cause of breaches listed on the wall is from lost or stolen unencrypted devices. According to Dan Berger, security expert at the pen testing firm Redspin, organizations need to avoid rushing through HIPAA guidelines, just ticking the boxes, because it only provides a false sense of security. What is most important Berger says, is the need to look at both technical and operational issues regarding HIPAA data. For example, if a certain healthcare worker requires access to 10,000 health records, the organization better know about it, and make sure proper compensating controls are in place. During an interview, with Mirianne Kolbasulk McGee, Berger faults the U.S. Government for not including mandatory encryption regulations on data at rest as part of the HIPAA security rule. However, he does compliment the Omnibus rule on holding Business Associates equally accountable in ensuring privacy with personal health information chain of custody. One of the most interesting points Berger makes in response to the ever increasing risk of BYOD within healthcare organizations, is the mindset that employees have in regards to their own personal devices.
“At the end of the day, the problem with BYOD comes down to the fact that a user using their own cell phone or tablet has a different psychological feeling towards that device. It is theirs, so they really feel like they can do what they want with it. It’s very hard to change that psychological dynamic. What we recommend is a holistic, multi pronged solution, the things you need to include are the policies, not that you are forcing on your employees, but ones they are accepting as policies. Most importantly, you need to train your users on mobile device security.”Berger finishes up by stating that due to these challenges we might see some organizations heading towards more of a ‘choose your own device’ policy, giving their users options to select various devices that already have sufficient security already built in. He says we might be seeing less BYOD in the future, and a resurgence of organization managed devices. What Berger doesn’t mention however, is the rise of new technologies that enables users to safely collaborate in the cloud, on mobile devices. With this new trend in technology, it doesn’t make much sense that organizations are going to move backwards to, “choose your own device” or company provisioned devices. Please leave a comment and share your thoughts with us! With the rise of information security breaches caused by mobile devices, do you think we are headed back to the day of blackberries and managed corporate devices?