In healthcare, and many other sectors, the ongoing shift to mobile devices is raising new privacy and security concerns, including how to make sure those using personally owned devices on the job are taking adequate precautions.
Our survey of healthcare organizations found that 59 percent allow clinicians to use personal mobile devices for work-related purposes. And that number is likely to grow as more new, enticing devices are introduced.
Before any decisions are made regarding a mobile device, you really need to assess how a device is going to be used and what threat it is going to pose to the organization.
Some 70 percent of healthcare organizations have a mobile device security policy in place, the survey shows. Those with a policy say components may include (ranked from most common to least common):
- All portable media, such as USB drives, must be encrypted;
- Patient data stored on or transmitted from mobile devices must be encrypted;
- Storage of data on mobile devices is prohibited;
- All staff must take an education session on the policy.
"Before any decisions are made regarding a mobile device, you really need to assess how a device is going to be used and what threat it is going to pose to the organization," says Terrell Herzig, information security officer at UAB Health System, Birmingham, Ala., which owns a 1,000-bed hospital and numerous clinics. Organizations need to determine whether to restrict mobile devices used to access sensitive information to those that are corporate-owned or to also allow the use of personally owned devices "that meet certain technical controls and policy basics," Herzig adds. Staff training on mobile device security is essential, he stresses.
The Department of Veterans Affairs, which recently began allowing the use of iPhones and iPads, plans to accommodate the use of personally owned devices next year, in part, to help control costs. The security issues involved in allowing personally owned devices are legal, rather than technical, Roger Baker, the VA's chief information officer, contends. "We're establishing what it is we need to have the user sign, relative to their personally owned device, that will ensure, for example, that I have the right to wipe any VA information off of it at my discretion ... and ensure that I have right to access the device to review it as needed."
Like a growing number of organizations in all business and government sectors, the VA anticipates "a phase out of desktop computers and a phase in of mobile devices," Baker says.
But as that transition occurs, it's essential that adequate security precautions, including widespread use of encryption, are taken, Baker, Herzig and many others acknowledge.