We spend a lot of time and attention analyzing vulnerabilities with specific endpoint devices or cloud platforms, which is warranted, but often not the most significant source of privacy and security risk.
Healthcare workers are being increasingly empowered with tools from bring your own device (BYOD) personal smartphones, tablets, laptops, to personal apps for file transfer, note sharing and other tasks, to social media, texting, personal email, USB keys and so on. When healthcare solutions, or the security around them, are perceived by healthcare workers as unusable or cumbersome, they can and do use workarounds that can drive additional risk.
One specific example is moving unencrypted patient information using a file transfer service accessed using an app running on a personal device. In this case the sensitive healthcare data is moving through the data transfer cloud associated with the file transfer app. This moves the protected healthcare data into a “side channel”, separate from the EHR, out of the control of the healthcare organization. This in turn adds risk to confidentiality of breaches, as well as risk to the integrity or completeness of the patient record since data moving in side channels like this, out of band with the official repository eg EHR (Electronic Health Record) solution, often does not result in updates to the patient record.
Over time the patient record can become incomplete or dated. In a best case this can result in suboptimal healthcare, and in a worst case become a patient safety concern. This vulnerability can exist even with a secure endpoint device and secure cloud behind it, and even if a thin / VDI client is used, since it only requires the user to have the ability to install and use the file transfer app.
In January 2013, HIMSS surveyed frontline healthcare workers globally on what motivates the use of workarounds, what types of workarounds are being used, and where there may be challenges in privacy and security such as lack of policy, enforcement, or ineffective training. This survey greatly exceeded expected response rate with more than triple the target number of responses, or 674 total respondents. Here’s some quick bites of information about the respondents:
- 77% of respondents were in North America
- 11% in Europe
- 4.5% Middle East
- 46% of respondents were working in hospitals
- 27% in multi-hospital systems or integrated delivery systems
- 7% in ambulatory care facilities
- 66% of respondents were in large organizations with more than 500 employees
- 23% in medium sized organizations with 50-500 employees
- 10% in small organizations with less than 50 employees
The largest categories of roles of respondents were nurses at 14 percent, doctors/PAs/nurse practitioners at 13 percent, administrative directors/managers at 11 percent, and several other healthcare frontline worker roles across provider, payer, life sciences and pharma sectors of healthcare.
What did they have to say? Stay tuned for more information in my weekly blog series leading up to HIMSS13 on the drivers motivating use of workarounds by healthcare workers, what specific workarounds they are using, and where privacy and security is breaking down.
What risks are you seeing in your healthcare organization with sensitive healthcare data moving from endpoint devices into unsecured clouds?
If you will be at HIMSS13 in New Orleans, join us for a workshop panel to explore this concept further. RSVP and reserve your spot.