Safe & Sound with Marianne Kolbasuk McGee

Mobile Policies Coming Up Short

Surveys Confirm There's Work to be Done

A new survey of CIOs from Robert Half Technology finds that healthcare organizations lag behind those in other business sectors when it comes to having a formal mobile technology strategy.

See Also: The External Attack Surface Is Growing and Represents a Consistent Vulnerability

And our just released 2014 Healthcare Information Security Today survey found that 16 percent of healthcare organizations lack a mobile device security policy.

The recent Robert Half Technology phone survey of 2,328 CIOs included 270 CIOs from the healthcare services sector.

Of those healthcare CIOs, 36 percent reported that their organizations have no formal mobile technology strategy, the highest percentage among all the industries surveyed.

Robert Half Technology, which provides technical staffing services, also found that 57 percent of healthcare CIOs say that their organizations have not developed a mobile application for customers or clients and have no plans to offer one in the next 12 months.

"I'm not surprised by these findings," says privacy and security expert Brian Evans, principal security and privacy consultant at Tom Walsh Consulting. "I have found that healthcare organizations are struggling to develop coherent mobility strategies that integrate with their clinical and business processes."

Healthcare organizations are dealing with rapid changes in technology as well as changes in employee expectations on mobile device use, Evans points out. "The transformative nature of mobile technology fundamentally changes both how people work and the pace at which decisions are made," he says. "Yet, some healthcare organizations consider tablets as just smaller laptops, which isn't the case. However, I believe this view is now starting to change."

Evans says that the delay by some healthcare organizations in establishing formal, well thought-out mobile technology strategies is because they view the implementation of mobile device management solutions and BYOD as their strategy - and that's it.

"As a result, this misses the clinical and business needs, risk analysis, policy/procedure documentation and support requirements," he says.

"Adequately protecting mobile devices has certainly slowed down the adoption of mobile strategies. But it's just one of several considerations when developing a mobile strategy."

Security Steps

The 2014 Healthcare Information Security Today survey found that the most common components of mobile security strategies are: encrypting all portable media, prohibiting storage of patient data on mobile devices and requiring encryption on all patient data stored or transmitted via the devices.

The survey also found that when BYOD is allowed, security policies aren't always strict. For example, of organizations that allow employees to use personally owned mobile devices for work, less than half require the use of encryption, strong passwords and other security steps.

Keeping Up With Mobility

So, are some healthcare organizations steering clear from establishing formal mobile strategies because they are turning a blind eye to the reality that their workers are using mobile devices, and that patients also want to use mobile health apps?

"I believe CIOs and CISOs recognize the reality that their workforce is using mobile devices. It's a matter of clinical and business units being ahead of IT departments with regard to mobility, which means that IT is playing catch-up," Evans says. "A consistent message I've heard is that 'we want to work with IT as long as they don't hinder us in getting things done."

The consultant warns that "if security makes mobility unattractive, then clinical and business units end up moving forward anyway and finding work-arounds."

And that's a dangerous tactic. The Wild West of clinical and business units within a healthcare organization moving forward with their own mobile initiatives in the absence of a formal enterprise mobile strategy that includes well-communicated mobile security policies is a breach waiting to happen. And we've already seen plenty of big health data breaches involving lost and stolen unencrypted mobile devices.

Many healthcare organizations need a new mindset when it comes to mobile technology strategies and mobile security.

"A change in thinking needs to occur where security becomes an enabler rather than a roadblock, which means a CIO's or CISO's first reaction to a mobility request cannot be 'no'," he says. "Getting security into the conversation early allows risks to be identified and solutions brought to bear. In the mobile environment, the end-user has to be part of the security equation."

For more analysis on all the results of our Healthcare Information Security Today survey, check out our free webinar. The session, led by my colleague Howard Anderson, offers an analysis of the survey results by a panel that includes Evans as well as Bob Chaput, CEO at Clearwater Compliance, and Michael Bruemmer, vice president of Experian Data Breach Resolution. An in-depth report on the survey results will be available soon on HealthcareInfoSecurity in the Resources section.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.