Healthcare data breach news dominated headlines again in 2018. A November 2018 Data Breach report posted by the HIPAA Journal cites a massive increase in exposed protected health information (PHI). During the month of November, more than 3 million records were exposed, stolen or accessed without permission. The report states the number of records exposed in November alone is greater than those exposed in all 180 data breaches reported to the HHS’ Office for Civil Rights (OCR) during the first half of 2018.
As we’ve seen in months and years prior, no organization is immune to a data breach. Victims vary in size from large-scale health systems to smaller niche facilities. In November a data breach occurred at Atrium Health, a company with an expansive delivery system. The breach reportedly affected more than 2.6 million patient records across more than 40 hospitals and 900 care locations. Meanwhile Pennsylvania-based May Eye Care Center and Associates reported a breach of 30,000 patient records after falling victim to a ransomware attack.
Breach methods vary, complicating security. Unauthorized access to data, theft or loss of devices such as laptops and thumb drives, improper disposal of PHI, random hacking instances as well as more targeted phishing attacks were often the culprits of a breach. With so many attack methods at a hacker’s disposal, it is difficult for healthcare organizations to protect themselves. Mobile device usage creates another vulnerability that healthcare organizations must address.
Understanding the Risks
iPhones and Android devices are highly popular among medical professionals because of their ability to provide instant, anytime, anywhere access to information. A report by Kantar Media cites 84 percent of doctors use smartphones on the job. Given the highly mobile lives of surgeons, smartphones are quickly becoming a lifeline to many for case-related communication.
Regardless of whether surgeons are outside of a hospital environment or within different hospital settings (i.e. pre-op, recovery, intensive care, etc.) they need a way to stay connected when access to a traditional computer is not possible. For many, that connection is their smartphone. iPhones and Android devices are regularly used by surgeons to check schedules, look up or share lab results, x-rays and MRIs. These devices are also used to get content critical for a surgical procedure and to share updates with other surgical case members including anesthesiologists and device reps either via text or email. In the course of accessing and sharing information, often little thought is given to the fact that this information frequently includes patient names and other PHI. As a result, mobile devices are creating significant security and compliance challenges for healthcare organizations.
There is an urgent need for hospitals and health systems to get ahead of mobile device security issues. Otherwise, a breach is predestined. Implementing mobile device security policies and conducting reoccurring security awareness education are good first steps. Data encryption provides added security and compliance, but the technology has limitations.
Encryption technology will make the data on a mobile phone unreadable if it is lost, stolen or hacked. However, when sharing information, encryption technology typically only works if both the sender and receiver use it. Surgery coordination technology enables hospitals and surgery centers to address this shortcoming. This technology offers a secure, HIPAA compliant way for mobile healthcare professionals to upload, access and share real-time information with everyone involved in a case without jeopardizing data integrity.
The healthcare industry has a legal and ethical responsibility to protect patient data. Understanding the risks associated with accessing and sharing information from mobile devices is critical to protect patient data and avoid a breach.
Mark Mele is Vice President at Casetabs, the pioneer of cloud-based surgery coordination technology. He has 15 years of sales and marketing experience in medical devices, working for ConMed, Biomet, and NuVasive. Mark is experienced in building start-up territories and managing teams and product lines with over $100 Million dollars in annual revenue. He is a graduate of the University of Illinois at Urbana-Champaign.