Healthcare provider chief information officers charged with HIPAA health data security compliance might have a sinking feeling that they can't stop informal data sharing between employees using personal mobile devices; they can only hope to contain it through policies and technologies.
DataMotion, a security software vendor that caters to many market sectors, backs up that sinking feeling with raw numbers in its second annual survey of IT and business decision makers exploring email and file-transfer security protocols.
Of the more than 400 respondents, 37% came from healthcare. DataMotion Chief Technology Officer and co-founder Bob Janacek said that, compared to sectors such as financial services, healthcare lags behind in IT technology, staffing and budgets. But data security, largely driven by HIPAA compliance and business need, is matching or exceeding those other markets.
"Healthcare is definitely leading in a lot of ways, like in business associate agreements tying the entire ecosystem into contractual responsibilities for protecting data -- there's a long tail of compliance between the large hospital networks and the myriad of suppliers and service organizations," Janacek said. "Healthcare really blazed a path in that case, and we're seeing other industries follow, like insurance, making their agents protect customer information -- Social Security numbers and such for title insurance -- and that's all because of what was established in healthcare."
Yet the technology in health IT lags behind. Software interfaces he sees at shows like the Health Information Management Systems Society, Janacek noted, remind him of Windows XP, first released in 2000 and for which Microsoft will end support on April 8. That's in stark contrast to the cutting-edge applications he sees at financial technology trade shows.
"There, they're talking about saving nanoseconds in trades and incredible volumes, because time is money, response time is money, analytics is money, and money drives amazing levels of technology," Janacek said.
BYOD policies, encryption MIA
Stats at a glance:
Among the nearly 150 healthcare respondents to DataMotion's second annual survey of business and IT decision makers:
- 90.4% indicated their company has security and compliance policies for transferring files electronically; 84.8% indicated employees/co-workers have the capability to encrypt email.
- Yet 32.6% indicated they feel employees do not fully understand security and compliance policies for transferring files electronically.
- 87.7% of healthcare respondents said their company permits the use of mobile devices for email, but 40.3% reported their company has no BYOD policy, and 11.7% were unsure.
- More than 25% have either used or recommended others use free consumer-type, public-cloud file transfer services, and 30.5% indicated their company does not forbid the use of these services.
Among healthcare respondents, 40% indicated their facility has no bring your own device (BYOD) policy, a number that surprised the researchers. That won't stop clinicians from using their own devices to perform healthcare tasks, Janacek said, because taking care of the patient is their first priority; productivity is the second. HIPAA compliance comes later in the list, somewhere.
When it comes to email and file transfer and security protections, most facilities have policies and software protections in place. But lack of employee adherence shows IT staffs have their work cut out for them in educating the rank and file. That's a problem, Janacek believes, because healthcare IT staffs are undermanned and under-budgeted compared to their peers in other business sectors. There aren't enough resources to train employees.
But there are also things IT can do without involving the employee, if only they had enough time and resources. When an organization gets fined for a HIPAA data breach because a laptop with unencrypted patient data is stolen, Janacek said, "that's a failure of IT. These laptops should have [Microsoft Windows 7 built-in hard drive encryption] BitLocker turned on to create that secure ecosystem so there isn't a chance" of a data breach happening.
Broadcast the importance of data security
Health IT professionals and compliance leaders need to communicate to providers the HIPAA risks, either directly or through their compliance office, of using consumer file-transfer services such as DropBox. That, and stress the importance of HIPAA compliance in general.
Three in four respondents confessed to "routinely" or "occasionally" violating file-transfer policies. "That's not a rounding error," Janacek said.
Security software is evolving, Janacek continued, and future automation may provide some relief for resource-strapped healthcare provider IT departments. While current secure email and file-transfer apps may require inconvenience and extra clicks -- especially in phone and tablet apps -- he envisions a time soon when data security and encryption will be far more intuitive and usable -- and even will evolve into a back-end process largely invisible to end users.
That will help solve some of the health data security employee non-compliance issues some providers are enduring now with more difficult-to-use software tools.