Medical information is one of the most valuable types of data hackers can get their hands on, according to a report by the Institute for Health Technology Transformation (IHT2).
While credit card information can sell for $1 on the black market and personally identifiable information can sell for $10 to $20, patient records can go for $20 to $50 each, according to the report. And a complete patient record — including the patient’s driver’s license, health insurance information and other sensitive data — can be worth more than $500. If a healthcare organization has a security breach and 1,000 complete patient records are stolen, those records could fetch that hacker $500,000. It’s no wonder stolen protected health information (PHI) is on the rise.
An unsecured mobile device can be a dangerous access point to medical data for would-be thieves. One important step healthcare IT teams can take to ensure security with the use of mobile devices is to establish formal security policies that cover items such as smartphones and tablets.
The IHT2 report cited the following recommendations from Forrester Research:
- Move controls closer to the data by utilizing full disk and file-level encryption of mobile devices so that if thieves steal a mobile device, they can’t gain access the PHI. Other helpful options are desktop virtualization and prohibitions on local storage of data.
- Track where the data is stored, only let people access the data whose job function requires it, and make sure to monitor those people.
- Make staff aware of the consequences of inappropriate behavior when it comes to the use of mobile devices. Often, security incidents occur because a device is lost or stolen due to carelessness.
In addition to establishing formal policies within the organization, the IT team should also be aware of and utilize various security technologies available. Here is a rundown from the IHT2 report:
Encryption: Many healthcare organizations don’t encrypt their data, the report said, and there are many reasons why, such as difficulty in implementing encryption, it can be expensive and there is a lack of HIPAA requirements mandating such action.
However, experts agree encryption is necessary. According to the report, encryption is not only a necessary precaution to take, but now there are relatively affordable options available. When a mobile device is lost, an appropriate encryption management process is a must to ensure security.
Endpoint management: With the bring-your-own-device trend permeating healthcare , endpoint management is essential. Experts emphasize the importance of mobile device management (MDM) software being installed on personal smartphones and tablets. “No company should ever allow an employee to use their personal device unless it’s under the control of an MDM program,” Lance Mueller, director of forensics for Executive Forensics, said in the report.
Endpoint security: Endpoint security software monitors each device’s location at all times. Some organizations delete the data on a missing device regardless of whether there is an indication that the device has been stolen, the report said. In some experts’ opinions, if a mobile device is not in control of the owner, then it’s a risk and data should be wiped from the device.
Endpoint security solutions can also detect whether the files on the device have been opened or tampered with. This helps IT teams detect whether a security breach has occurred.
Advanced endpoint security solutions include persistent technology embedded in the firmware of the device at the factory, the report said. This means that if a user tries to get rid of the endpoint security software, a remote server will automatically re-install it on the device.
Healthcare IT teams should make sure any endpoint security solution is flexible enough to support the unique requirements of the organization.