As recently as 10 years ago, healthcare IT was mostly corporate provisioned, less diverse and there were slower refresh rates. Up to this point, usability was treated as a “nice to have” and significantly lower priority than features or functionality of solutions.
In this more homogeneous and slower changing environment there was, for the most part, one way to get the job done. Fast forward to today where most healthcare IT environments are much more heterogeneous with a myriad of devices, both corporate and personal BYOD (Bring Your Own Device), operating systems, apps, versions, social media, and now we have wearables and Internet of Things rapidly growing. Furthermore, refresh rates are much faster, especially with personal / BYOD devices, and apps. In today’s environment, usability is very much a “must have” because if it is not present research shows healthcare workers find workarounds, like using personal devices, and these workarounds drive non-compliance and additional security and privacy risk and can often be the source of breaches.
Traditionally we have approached usability and security as a tug of war or tradeoff … where having more security meant less usability and vice versa.
Unfortunately, breaches have reached alarming levels in both business impact and likelihood. The total average cost of a data breach in 2014 was US $3.5 million. This average is global and across several industries including healthcare. Looking more specifically at healthcare, the global average cost of a data breach per patient is US $359, the highest across all industries. With this kind of cost avoiding, breaches are of paramount importance for healthcare organizations. But how can we add security without compromising usability, and inadvertently driving workarounds that actually cause non-compliance and risk?
What is desperately needed is security that preserves or even improves usability, where risks are significantly mitigated without driving healthcare workers to use workarounds. On the surface this may seem impossible, yet there are several security safeguards today that do just that. Many breaches occur due to loss or theft of mobile devices. A very good safeguard to help mitigate this risk are self-encrypting SSD’s (Solid State Drives). If one takes a conventional hard drive, unencrypted and at risk of causing breach if lost or stolen, and replaces it with an SSD + encryption this can often have better data access performance than the original conventional unencrypted drive. Another example of a safeguard that improves usability and security is MFA (Multi-Factor Authentication) combined with SSO (Single Sign On), which improves both the usability and security of each login, as well as reduces the overall number of logins.
Intel Security Group is focused on creating innovative security safeguards that combine security software vertically integrated with security hardware that improve usability and harden the overall solution to make it more resilient to increasingly sophisticated attacks, such as from cybercrime. With cloud and mobile, and health information exchange, security becomes like a chain, and effective security requires securing all points and avoiding weakest links. Intel Security Group solutions span right from mobile devices, through networks to backend servers. This paves the way for healthcare to adopt, embrace, and realize benefits of new technologies while managing risk, and improving usability.
What questions about healthcare IT security do you have?
David Houlding, MSc, CISSP, CIPP is a Healthcare Privacy and Security lead at Intel Corporation and a frequent blog contributor.
Find him on LinkedIn
Keep up with him on Twitter (@davidhoulding)
Check out his previous posts