Strategic insight for health IT leaders

gekaskr - Fotolia

Despite risks, healthcare IT professionals stick with mobile

Despite the recent breaches making headlines, experts say that healthcare IT professionals should stay full steam ahead with the adoption of mobile.

When it comes to mobile security, the odds seem stacked against healthcare organizations. Although the mood surrounding mobile among healthcare IT professionals ranges from cautious to downright terrified, they all acknowledge that the use of mobile devices will only increase despite the risks.

Healthcare organizations often lack the tools, resources and money needed to fully protect themselves against breaches, and hackers have strong incentives to steal patients' medical records.

For example, patient records can go for $20 to $50 each on the black market, and a complete patient record -- including the patient's driver's license, health insurance information and other sensitive data -- can be worth more than $500, according to a report by the Institute for Health Technology Transformation. If a healthcare organization has a security breach and hackers swipe 1,000 complete patient records, they could potentially fetch $500,000.

"It's basically a treasure trove of information that these people want to get access to," Cletis Earle, vice president and CIO at St. Luke's Cornwall Hospital in Newburgh, N.Y., said.

In comparison, credit card information can sell for just $1 and personally identifiable information can sell for $10 to $20.

Cletis Earle, vice president and CIO, St. Luke's Cornwall HospitalCletis Earle

"It's impossible to cover it all. You can cover a lot of it and the majority of it, but there's still things coming up … that we're not aware of, and a new threat is going to occur or a new vulnerability is going to occur to the organization," Earle said. In fact, he added, "you probably are already breached."

However, experts say, in general the risks have not deterred the medical community or healthcare IT teams from adopting mobile.

This is partly due to the fact that the risk of a cyberattack has been around long before mobility came into everyday prominence. For example, the Anthem breach -- in which hackers got into a database by running a computer program under a staffer's personal identifier -- did not stem from mobile devices, Earle points out.

Kirk NahraKirk Nahra

"[Healthcare IT professionals are not] necessarily viewing mobile as anything different or harder or riskier than anything else," Kirk Nahra, an attorney at Wiley Rein LLP who specializes in privacy and information security who recently spoke about these issues at the HITRUST 2015 conference, said.

And the implications for mobile endeavors in the healthcare space-- such as telehealth, value-based care and increased patient engagement -- cannot be ignored.

"Our goal is to take care of patients that are going to be outside the four walls of the hospital. The hospital is going to be a different care continuum … Healthcare is definitely becoming more entrenched in the community and the only way of dealing with things in the community is using that mobile strategy," Earle said. "It is definitively going to be the norm."

Healthcare IT feels the pressure

With HIPAA regulations, meaningful use requirements and the knowledge that a breach is inevitable, healthcare IT teams are under a lot of pressure -- especially with five different agencies conducting audits and some healthcare organizations not passing those reviews, said Lysa Myers, a security researcher at ESET, an IT security company.

Lysa Myers, security researcher, ESETLysa Myers

Although IT teams take mobile security into consideration, the fact that there are so many other areas within a healthcare organization vulnerable to attack means that mobile is not the sole focus. Instead, healthcare IT professionals tend to look at the bigger picture.

"Yes, we are absolutely terrified," Earle said. "You may already be attacked, you may be under attack, but how and what are you putting in place as a CIO or as an IT executive [so that you can] recover from that breach and from that attack? It's pivotal to put the plans in place to say how you're going to recover."

We're going to triple down on data security.
Marc Probstvice president and CIO, Intermountain Healthcare

A number of healthcare CIOs told SearchHealthIT at HIMSS 2015 in Chicago that data security is a top priority.

"We're going to triple down on data security," Marc Probst, vice president and CIO at Intermountain Healthcare, said at HIMSS 2015."It's of paramount importance and none of the rest is really going to be useful if we can't secure and assure our patients that the data will be private."

Let us know what you think about the story; email Kristen Lee, news writer, or find her on Twitter @Kristen_Lee_34.

Article 1 of 5

Next Steps

Learn more about mobile security:

Implement mobile device encryption to protect data

Experts: The benefits and obstacles of mobile in healthcare

Secure expensive patient data on mobile devices

Dig Deeper on Mobile health systems and devices

Get More Pulse

Access to all of our back issues View All