Are you putting your health organization at risk for a security breach? That question isn’t aimed solely at the hospital or clinic IT department anymore. It is something that needs to be on the mind of every clinician and healthcare worker. Every few weeks there is yet another health organization in the news that has suffered a security breach and put its patients’ medical records and personal information at risk. Most often this happens when a mobile device holding such information (cell phone, tablet or laptop) is lost or stolen. One of the most recent examples comes from Beth Israel Deaconess Medical Center where a laptop containing short summaries of medical information on 4000 patients was stolen from the office of one of its physicians. Although the medical center encrypts information held on employee laptop devices by default, the stolen laptop was an employee’s personal device that was being used for office work. As a result of the breach, in addition to notifying patients whose personal information might be at risk, the medical center will now implement a mandatory encryption policy for all devices used by its 6000 workers.
The growing concern about such security breaches is evident in a May 4th bulletin issued by the Department of Homeland Security. DHS specifically called out threats to healthcare organizations that are being posed by unsecure, network-attached mobile devices. Those threats include loss of patient data and the spread of malware on a hospital’s network. As more and more hospitals and clinics move toward electronic storage of medical records, DHS reminds us that patient information is increasingly at risk. Although most large enterprise health organizations are well aware of the threat and have significant protections in place to deal with it, the fact that breaches can and do occur even in these well-prepared centers provides proof of the need to do even more to protect patient information.
The bottom line is that all mobile devices used by clinicians and other health workers should be encrypted. This not only includes devices issued to employees by the health organization itself, but should also apply to any personal devices that are allowed to connect to the network. In addition, healthcare IT departments need tools that can help manage how these devices connect to the network and what information is available to users based on their role in the organization. Ideally, should a mobile device be lost or stolen it can be traced and even remotely wiped of all data.
Healthcare organizations large and small must do their utmost to protect personal health information. If you have questions about the security of mobile devices used in your organization or need help with strategies and tools to help you manage such devices, contact your Microsoft account executive or a Microsoft certified partner or system integrator for help. You can learn more here.
Bill Crounse, MD Senior Director, Worldwide Health Microsoft