Healthcare workers are being empowered with more and more information power tools, from apps, to smartphones, tablets and other devices, to social media, and now wearables and Internet of Things.
These tools deliver great benefits that can improve the quality of patient care, and reduce the cost of healthcare. However, they also bring new risks of accidental breaches and other security and privacy incidents. 2014 HIMSS Analytics global research on healthcare security shows healthcare workers use workarounds (out of compliance with policy) either daily (32%) or sometimes (25%). For example a workaround could be texting patient information to a healthcare co-worker, using a file sharing app with patient information, and so forth.
Any one of these could result in a breach, and the staggering cost of a data breach averaging around US $5.85 million in the 2014 Cost of a Data Breach Study. The prevalence of workarounds and impact of security incidents such as breaches highlights the alarming probability and impact of this type of privacy and security risk from healthcare worker user actions. These types of risks and impacts are also set to increase going forward as healthcare workers are further empowered. In most cases, healthcare workers are well-intentioned and try to do the right thing. However, they inadvertently add risk using new information power tools, often using them under time or cost reduction pressure. Exacerbating this, security and privacy awareness training provided by healthcare organizations is often limited in effectiveness, and even in a best case where training is up to date and well delivered, the technology landscape is fast evolving so the technology and risk landscape is significantly different even a few months later.
To date, much of the emphasis on responsibility for privacy and security has been placed on tool and service providers, enforced by regulators. This is analogous to safety regulators regulating the safety features of power tools used in workshops and for construction: even with the tool’s safety features, users know that they could inflict significant harm on themselves or others if they use the tools incorrectly.
In other words, they are responsible for using the power tools and incorporated safety features in a way that delivers the benefits while keeping risks of accidents minimal. What we are seeing in the information technology landscape is healthcare workers being empowered with information power tools such as apps, mobile devices, social media, wearables and Internet of Things, with little or no concurrent effective empowerment of privacy and security savvy on how to use these to get benefits while also minimizing risks of security incidents such as breaches.
To enable healthcare to rapidly realize the benefits of new technologies while keeping privacy and security risks manageable, we must find better ways of effectively empowering healthcare workers with the privacy and security savvy they need to use these information power tools safely.
What privacy and security risks are you seeing with healthcare workers using information power tools? I’m also curious about your thoughts, strategies, and best practices on how to manage these risks?
David Houlding, MSc, CISSP, CIPP is a senior privacy researcher with Intel Labs and a frequent blog contributor.
Find him on LinkedIn
Keep up with him on Twitter (@davidhoulding)
Check out his previous posts