As we covered in our recent blog post, Premera Data Breach Gives Hackers a New Revenue Source, cyber criminals are increasingly targeting healthcare organizations – staging sophisticated attacks that allow them to obtain a goldmine of personal health information (PHI). And while the recent attacks on Premera and Anthem have scared the bejesus out of healthcare CIOs, the majority of healthcare providers are using their personal devices for work activities. Savvy CIOs know that resistance is futile, so they are scrambling to institute BYOD (bring-your-own-device) polices with the hope that they can avoid a data breach or HIPAA violation. Is a BYOD policy in your organization’s future? If so, keep reading to learn how to balance HIPAA compliance, data security and BYOD.
HIPAA compliance and data security must happily coexist
HIPAA requires that PHI such as patient names, social security numbers and so forth not be downloaded to unsecured, personal devices. A healthcare organization’s IT team must be able to block and control critical information before it is downloaded to BYOD devices via a set of pre-determined rules that detect and recognize PHI.
In the case of an employee leaving the organization, IT must have the ability to selectively “wipe out” any corporate data, leaving the employee’s personal data or data from any other account intact.
Data visibility + IT control = risk mitigation
As more healthcare providers rely on their personal devices, IT needs to have visibility and control into the data being stored on these devices. This is visibility is critical for achieving and maintaining HIPAA compliance. HIPAA regulations require that healthcare organizations maintain detailed audit logs that provide an “electronic book of evidence” of their compliance activities. This information includes user information, location, IP address, type of device (e.g. smartphone, tablet or laptop), URL accessed and any other pertinent details. If a device is misplaced or stolen, IT can leverage that information to produce a list of all the data stored on that device and evaluate the risk associated with the loss.
IT also needs visibility into what happens with sensitive corporate data after it has been downloaded to an employee’s BYOD device. Specifically, IT needs to keep tabs on where that data travels, and be able to gauge the sensitivity of that data. Visibility via such activities such as transaction logging and alerts can be a means of deterring employees from accidentally or deliberately disseminating sensitive information outside the organization without authorization.
BYOD should be easy to deploy and easy to use
Every IT organization has “more resources” on their wish list. And the appeal of BYOD lies in the fact that it eases the management burden of an overworked IT team. Compliant cloud solutions appeal to them because they are secure, deploy quickly and scale easily without heavy lifting. For example, data can be secured in compliant cloud desktops that are easily accessed by employees with any device of their choosing.
Minutes matter in healthcare so it behooves IT to implement BYOD technology and policies that is user friendly. Security solutions that are complicated and slow workers down not only introduce risk and lower productivity, but also encourage them to adopt workarounds that defeat security policies.
Balancing HIPAA compliance, data security and BYOD can be a complicated – and risky – endeavor. Let the compliance experts at HOSTING help. With 200 healthcare customers and the experience of supporting more than 400 customer compliance audits, there isn’t a lot we haven’t seen. Contact us anytime with your questions about compliance, security or BYOD. You can also download a complimentary copy of the HOSTING HIPAA Compliance Guide.