Practical Guidance to Limit End-User Security Workarounds

It wasn’t too long ago when the coolest new gadgets were provided by your IT department. Today, the latest and greatest devices are coming from the consumer world, with IT departments being asked to support a growing number of employee owned smartphones, tablets, 2 in 1 units and everything in-between. 

Employees are now accustomed to the capabilities they have in their consumer lives and expect a comparable experience on the job. This transformation is not only on the “device side.” The cloud, which has fueled this device revolution is characterized by apps that are available 24x7x365 on any device, in any location. This always-on, always connected model has significantly enhanced the ability for people to collaborate with apps that enable file sharing, text/voice/video communication, note taking and the like.

So what happens when this consumer world and the enterprise world collide in a regulated industry like healthcare? The answer is that end-users will use these devices and apps, with or without the blessing of their IT department. This brings significant risks to healthcare organizations that are subject to stringent security and privacy regulations, breach reporting requirements, and audits. 

An example of this that I have heard on multiple occasions is a clinician taking a picture on their smartphone, and texting it to a colleague to get an opinion. I like this example because it simultaneously demonstrates the power of cloud, collaboration, and communication capabilities that have emerged in (relatively) recent years but also raises some obvious concerns regarding the security and privacy of PHI.

HIMSS Analytics collaborated with Intel earlier this year on research in this area. Forty six percent of the clinical end-users surveyed thought these kind of end-user workarounds were happening regularly in their organizations. The top reasons for these workarounds centered on security controls being too cumbersome and IT departments being too slow to enable new technologies. Co-worker collaboration was cited as (easily) the top activity leading to these workarounds.

ChrisG Graphic.jpg

So what does this research tell us? I think there are several key takeaways that IT departments should consider to limit these kind of risks:

  • Disallowing BYOD has limited effectiveness: Unless a healthcare organization is going to collect end-user owned devices at the door and return them at the end of the day, end-users will engage in this kind of activity on their personal devices. IT needs to think about how it can empower clinicians safely.
  • Need to offer employees compliant alternatives: There are solutions for messaging, video conferencing and file sharing that follow healthcare regulations such as HIPAA (vendors will sign BAA’s, etc.). IT needs to offer employees a comparable experience to what they are used to as consumers.
  • Co-worker collaboration is a good place to start: While there are hundreds of thousands of consumer apps, the research cited above highlights co-worker collaboration as the area that is leading to the highest number of end-user workarounds.
  • Clinical end-user experience is critical: Often times, complex/cumbersome security controls will drive activity that is out of compliance with security policy. Engaging clinicians and seeking security controls that integrate seamlessly to their workflow is essential.

Have any of you had success mitigating these risks in your organization?

Chris Gough is a lead solutions architect in the Intel Health & Life Sciences Group and a frequent blog contributor.

Find him on LinkedIn

Keep up with him on Twitter (@CGoughPDX)

Check out his previous posts