These days, BYOD has moved out of the realm of trend and moved into the realm of phenomenon.
And almost nowhere is this phenomenon--or rather, the growing pains associated with the birth of this phenomenon-- more keenly felt than in the healthcare sector. The reason? Inherent tensions are created with the immense benefits of mobile devices that contribute to a workplace culture dependent upon the free flow and easy availability of (potentially lifesaving) information, juxtaposed with severe (and possibly life-threatening) ramifications in the event that information becomes exposed or gets into the wrong hands.
And mobile devices become the catalyst for both contingencies.
"It's harder for the healthcare industry because of the politics and fluid nature of the workforce,” says Kevin Flynn, Fortinet senior marketing manager, and healthcare security expert. “But they're also dealing with important information and doing it in a strongly regulated environment.”
Flynn says that unlike most industries, it sometimes becomes a matter of life and death—quite literally—for doctors and patients to have immediate access to information (e.g. medical records, medicine dosage and schedules, allergies, etc...) at their fingertips.
“The biggest risk is that people don't get the right information they need,” says Flynn. “Security should not get in the way of that. That's a little different from most industries. If the CEO gets his report half an hour later, that's usually not a problem. But patients can't wait.”
With iPads and smartphones, doctors and surgeons can adhere to serial visitation schedules and easily obtain patient information when they need it. A sleek mobile device also enables healthcare workers to access sensitive data unobtrusively, as opposed to pulling out a laptop or relying on administrators, Flynn says.
“Doctors are often visitors [in hospitals], but visitors who require a whole bunch of information, and sensitive information that is regulated,” he says, adding that doctors and surgeons generally have a lot of say in how they provide care to their patients--which includes what kind of devices they use.
“The hard part is the politics and decision of who gets to see what. It's more complicated in healthcare. You're not going to tell a star heart surgeon what he can and can't do, unless it is a strict violation of regulations,” Flynn adds.
Therein lies the problem. Also, while the free flow of information is critical in healthcare, it often bumps up against the absolute necessity for patient privacy and the need to adhere to regulatory compliance mandates.
In light of the recent explosion of data privacy breaches which seem to make headlines on a weekly basis, HIPAA regulations have become more stringent, and more enforceable, regarding security infrastructure and user access. In addition, PCI DSS, the Payment Card Industry Data Security Standard, has also imposed increasingly severe restrictions, as well as processing and financial penalties, on any organizations that rely on credit cards for payment—which includes hospitals, doctors offices and medical facilities.
However, unlike credit card numbers and financial breaches, healthcare data is impossible to revoke, cancel or change once its exposed. “You can't put it back in the bottle,” Flynn says.
Striking the right balance between privacy and necessary functionality isn't a simple undertaking. But for one, the organization will likely have to invest in mobile management software and beef up their IT department's capabilities.
Implementing robust security at the Wi-Fi access point, such as encrypting VPN tunnels for example, in addition to some kind of two-factor authentication solution, is a necessity. Traditional security mechanisms such as antimalware and application control should also be deployed at that access point.** ** Beyond that, Flynn suggests in his white paper “Reinventing Security For the Healthcare Industry,” that healthcare organizations implement EHRs/EMRs that encrypt records in transit as well as remote access. He also recommends network segmentation with biomedical devices, HER systems and PCI networks. In addition, he advises installing Web filtering and application control technologies that restrict and monitor Web traffic and the use of Web based applications, as well as integrating DLP that prevents sensitive information from walking out the door.
Meanwhile, what eventually will happen is that IT will be required to accommodate and balance the healthcare industry's unique needs for both available information and privacy.
“In some ways, it's not unlike what IT departments did with PCs in the 80s, or with Internet access back in the mid 90s. So we're following a pattern here--organizations' users are demanding something for good business reasons,” Flynn says.“The security department has to adjust to that.”