Comment: Paging hospital CSOs: We have a code BYOD in data security

Phil Allen, EMEA director of identity and access management at Dell Software Group discusses the opportunities and challenges of BYOD security

Phil Allen, EMEA director of identity and access management at Dell Software Group

As more and more people use smartphones and other technology while on the move, the pressure is on organisations, including health trusts, to enable staff to access work-related information from these devices. Here, PHIL ALLEN of Dell Software Group, examines the challenges and opportunities of this growing trend.

In today’s world, many people have a smartphone and many also carry a tablet. The majority of these people use their devices to access information related to work, whether it’s an email, PDF or spreadsheet, which has made bring your own device (BYOD) security a concern for many industries and organisations – and the healthcare industry is certainly no exception.

In an industry that is always on the move, BYOD makes perfect sense for physicians, who can access information while walking from one patient’s room to another or from one hospital or clinic site to another

In the world of healthcare, doctors and nurses don’t sit in front of a computer all day. They are constantly on the go, treating patients, reviewing charts and files, and conferring with other departments and colleagues. For this reason, healthcare organisations are feeling the definite impact of the BYOD phenomenon. This means healthcare chief security officers (CSOs) face some of the most-pressing BYOD challenges.

In fact, according to a study published by Cisco Systems, 73% of public sector organisations in the UK allow employees to use personal devices at work, while more than half of respondents see the growth of BYOD as an opportunity for their organisations.

However, in the healthcare sector in particular, only 27% of employees are considered to be using their mobile device to access their organisation’s network, posing a great opportunity to employ BYOD and security strategies. In an industry that is always on the move, BYOD makes perfect sense for physicians, who can access information while walking from one patient’s room to another or from one hospital or clinic site to another. Being able to quickly access information, record observations and take notes easily speeds up their ability to help patients.

While there are many secure applications that contain data, CSOs also need to factor in non-secure, unstructured data such as blood tests that can be saved and sent as PDF files. Despite 73% of public organisations allowing the use of BYOD in the UK, only 56% have a specific policy around the use of personal devices. As patients, we begin to wonder what sort of information is accessed and stored from a physician’s device. If patient records are stored on the device and it is lost or stolen, would it be easy to access a patient’s personal information? We cannot expect doctors to put away their tablets at a time when speed of information is essential to providing quality patient care, but healthcare CSOs can no longer ignore the resulting requirement associated with securing data at the source.

In today’s healthcare industry, it’s important for CSOs not only to concern themselves with the risks surrounding their data access policies, but also to consider the context of a user’s role and accompanying entitlements

One way to do that and still provide the benefits of mobility for healthcare workers is to provide access to patient information through a secure web portal, which requires a login and password to access the data. Should a device be lost or stolen, the risk of unapproved access is mitigated by the fact that there is no data stored on the device itself. Another way to address this concern is to virtualise the environment so the data can be securely accessed, but not stored on the device.

Employing these strategies correctly means these healthcare organisations must evaluate risk factors for data. In order to ensure this is done correctly, it’s important to look beyond the data at the context of the user’s risk level. For example, if a set of data is assigned a mid-level risk classification and the user requesting access is in a role assigned a high-level risk classification; it’s likely that elevated risk should be factored into whether or not that user is granted access. In cases of elevated risk, CSOs also can establish a second factor for authentication, adding yet another level of security.

Imagine preparing for a vacation for which you need to see a doctor for immunisations ─ the doctor would take into account the data on your travel destination to see if there are reports on disease outbreaks that require immunisation. However, a good doctor would look beyond the data to get better context for assessing the potential risks you could face on your trip. For example, are you just planning to go to a tourist resort, or are you engaging in a riskier activity like a four-day jungle trek? And, if you have high blood pressure, are there any possible complications that could be expected.

In today’s healthcare industry, it’s important for CSOs not only to concern themselves with the risks surrounding their data access policies, but also to consider the context of a user’s role and accompanying entitlements. This will give them the full picture they need to appropriately evaluate their security policies related to data access and continue to allow healthcare workers to deliver the highest quality and most accurate patient care.

Companies