Enabling Healthcare with Apps – and Managing the Risks

Evernote says security has been breached by hackers. Dropbox password breach highlights cloud security weaknesses. These recent headlines are just two in a long list of examples of popular apps being compromised, putting sensitive data stored in their respective clouds at risk.

In an earlier blog, What cloud is your healthcare data in?, I explored the impacts of healthcare workers using apps with sensitive healthcare data, and the often undesirable side effect of moving the sensitive data into “side clouds” that are relatively insecure and add significant privacy and security risk.

A recent HIMSS global security survey of 674 frontline healthcare workers, Workarounds in Healthcare, a Risky Trend, HIMSS media, March 2013, shows that when solutions are unusable, security is cumbersome, or IT departments too slow or too restrictive in enabling new technologies, healthcare workers use workarounds. This survey revealed that this happens every day (22%) or sometimes (30%).

Personal apps for file transfer, note sharing, communications or other purposes where identified by 20 percent of healthcare workers as key tools to do workarounds. When sensitive healthcare data is used in workarounds this adds risk from a confidentiality / breach standpoint, as well as an integrity (completeness / accuracy) standpoint since the patient record often does not get updated with data moving in these workaround “side channels.”

To mitigate this risk we need a multi-pronged strategy including improving the usability of healthcare solutions and security to avoid compelling healthcare workers to use workarounds. IT departments in healthcare organizations need to be responsive and avoid being overly restrictive in enabling new technologies, or face being bypassed by healthcare workers in their use of workarounds. Administrative controls need to be bolstered, including policy, risk assessment (and proactively addressing deficiencies) and effective security training.

What kinds of apps are your healthcare workers using, and where do you see the risks?