Healthcare Workarounds: Managing Risk in the Age of User Empowerment

Several research studies, most recently Curbing Healthcare Workarounds for Coworker Collaboration, show that healthcare workers are increasingly using workarounds or procedures out of compliance with policy. Lack of usability, cumbersome security and slow or overly restrictive IT departments all drive the use of smartphones / tablets and apps, texting, file transfer, USB sticks, personal e-mail, social media, etc with sensitive information. The majority of healthcare workers are not malicious, but rather well intentioned, and motivated to improve the quality and reduce the cost of healthcare.

However, increasingly these healthcare workers are empowered with information power tools, including mobile devices, apps, social media, wearables and Internet of Things, and mostly without the privacy and security savvy to enable their safer use. While these workarounds offer more usable and exciting new alternatives, they also bring major privacy and security risks and non-compliance with policy. BYOD becoming mainstream, apps and devices are gaining power, and the rapid growth of wearables and the Internet of Things further exacerbate these risks.

Some “black and white” workarounds, clearly out of compliance with policy, are today effectively detected and mitigated by MDM and DLP. For example if policy forbids the use of USB sticks with certain endpoint devices and this usage is detected by safeguards on such an endpoint device it is straightforward to prevent. However, compliance with policy is often much more difficult to establish in practice with many other user actions. For example if a user is using a file transfer app to transfer a photo from their personal device at a healthcare facility is this out of compliance? Well, it typically really depends on the content of that photo. Is it a photo of a patient, representing PHI and non-compliance, or is it a photo from last weekends hike, being shared with a healthcare friend co-worker, and representing acceptable use.

Unfortunately, classification of PHI is challenged with many media types including images, audio, video and often even free form text. Further, many of these media types can be directly acquired on an endpoint such as a personal smartphone, and exchanged over networks such as 3G or 4G that bypass healthcare organization secure servers, challenging existing safeguards including thin client solutions that secure healthcare data on secure managed backend servers.

This “gray region” of the risk spectrum is rapidly growing with increasing empowerment of healthcare workers. If you have a personal device and participate in your organizations BYOD program you most likely had to install some MDM software on your device to enable this. However, to illustrate the magnitude of residual risk even after installation of MDM, consider the range of risky actions the healthcare worker can still perform on the device, including taking photos, recording video / audio, texting, file transfer, personal e-mail, social media, and so forth. Many organizations use annual security awareness training to help mitigate this risk. However, this training is often ineffective, and the technology and risk landscape fast evolving.

Join us at IAPP Privacy Academy and CSA Congress 2014 in San Jose, Calif., September 17-19, for a lively interactive session on Healthcare Workarounds: Managing Risk in the Age of User Empowerment, sharing 2014 HIMSS research covering the extent of healthcare workarounds, motivations, types and mitigations. We will then highlights practical strategies to enable new technology use while effectively mitigating risk and improving compliance with policy and regulations.

What you’ll take away:

  • Increasing empowerment of healthcare workers with technology
  • Growing source of risk from workarounds
  • Practical strategies to embrace and benefit from new technology while effectively mitigating risk

David Houlding, MSc, CISSP, CIPP is a senior privacy researcher with Intel Labs and a frequent blog contributor.

Find him on LinkedIn

Keep up with him on Twitter (@davidhoulding)

Check out his previous posts