gekaskr - Fotolia
- Kristen Lee, News Writer
When it comes to mobile security, the odds seem stacked against healthcare organizations. Although the mood surrounding mobile among healthcare IT professionals ranges from cautious to downright terrified, they all acknowledge that the use of mobile devices will only increase despite the risks.
Healthcare organizations often lack the tools, resources and money needed to fully protect themselves against breaches, and hackers have strong incentives to steal patients' medical records.
For example, patient records can go for $20 to $50 each on the black market, and a complete patient record -- including the patient's driver's license, health insurance information and other sensitive data -- can be worth more than $500, according to a report by the Institute for Health Technology Transformation. If a healthcare organization has a security breach and hackers swipe 1,000 complete patient records, they could potentially fetch $500,000.
"It's basically a treasure trove of information that these people want to get access to," Cletis Earle, vice president and CIO at St. Luke's Cornwall Hospital in Newburgh, N.Y., said.
In comparison, credit card information can sell for just $1 and personally identifiable information can sell for $10 to $20.
"It's impossible to cover it all. You can cover a lot of it and the majority of it, but there's still things coming up … that we're not aware of, and a new threat is going to occur or a new vulnerability is going to occur to the organization," Earle said. In fact, he added, "you probably are already breached."
However, experts say, in general the risks have not deterred the medical community or healthcare IT teams from adopting mobile.
This is partly due to the fact that the risk of a cyberattack has been around long before mobility came into everyday prominence. For example, the Anthem breach -- in which hackers got into a database by running a computer program under a staffer's personal identifier -- did not stem from mobile devices, Earle points out.
"[Healthcare IT professionals are not] necessarily viewing mobile as anything different or harder or riskier than anything else," Kirk Nahra, an attorney at Wiley Rein LLP who specializes in privacy and information security who recently spoke about these issues at the HITRUST 2015 conference, said.
And the implications for mobile endeavors in the healthcare space-- such as telehealth, value-based care and increased patient engagement -- cannot be ignored.
"Our goal is to take care of patients that are going to be outside the four walls of the hospital. The hospital is going to be a different care continuum … Healthcare is definitely becoming more entrenched in the community and the only way of dealing with things in the community is using that mobile strategy," Earle said. "It is definitively going to be the norm."
Healthcare IT feels the pressure
With HIPAA regulations, meaningful use requirements and the knowledge that a breach is inevitable, healthcare IT teams are under a lot of pressure -- especially with five different agencies conducting audits and some healthcare organizations not passing those reviews, said Lysa Myers, a security researcher at ESET, an IT security company.
Although IT teams take mobile security into consideration, the fact that there are so many other areas within a healthcare organization vulnerable to attack means that mobile is not the sole focus. Instead, healthcare IT professionals tend to look at the bigger picture.
"Yes, we are absolutely terrified," Earle said. "You may already be attacked, you may be under attack, but how and what are you putting in place as a CIO or as an IT executive [so that you can] recover from that breach and from that attack? It's pivotal to put the plans in place to say how you're going to recover."
Marc Probstvice president and CIO, Intermountain Healthcare
"We're going to triple down on data security," Marc Probst, vice president and CIO at Intermountain Healthcare, said at HIMSS 2015."It's of paramount importance and none of the rest is really going to be useful if we can't secure and assure our patients that the data will be private."
Learn more about mobile security:
Implement mobile device encryption to protect data
Experts: The benefits and obstacles of mobile in healthcare
Secure expensive patient data on mobile devices
Dig Deeper on Mobile health systems and devices
HHS proposes changes to HIPAA privacy rule
Health system taps Sentinel Healthcare for contact tracing tech
Lessons learned from COVID-19 could help with next pandemic
Medical records privacy a concern with increased mobile use