“Those doctors and their latest toys. Prima donnas all of them!”
At a conference last year an IT professional, from a large, Mid-West healthcare provider, uttered this phrase as we discussed how mobile devices had been introduced into healthcare workflows.
He explained that he had seen example after example where doctors used iPads and Dropbox to share x-ray images and other protected patient information with colleagues at other hospitals. Each instance of sharing is a clear HIPAA violation that if exposed would incur a $50,000 fine. And in this case the potential fine was so large that the IT professional didn’t dare report anything.
What we were discussing is not an isolated incident but is well chronicled. A recent study found that when doctors’ usage of smartphones increased by only nine percent, the number of data breaches rose 32 percent, more than triple the growth in usage. We ended our conversation with the IT professional lamenting about the irony of doctors who understood how critical it is to protect patient information, but were happy to violate HIPAA when their own convenience was at risk.
Once home from the conference, I brought up the same topic with some friends who are doctors, and was surprised how they turned the situation around.
“We’re not sharing x-rays for fun, we’re trying to save lives! And if the only way to get a good second opinion means I have to violate HIPAA, and use Dropbox, so be it.”
Of course they understood how important HIPAA compliance was. However, keeping information private wasn’t their prime directive. Their prime directive was caring about the patients’ health. In the end, their perspective was that they would follow the compliance rules when possible, but when a patient’s health was at stake they would throw the rules out the window if they couldn’t share information with another hospital that had different and incompatible IT infrastructure.
That really highlighted the core issue for me. While IT felt that doctors were violating HIPAA because they felt above the law, on the other hand, doctors felt they had little choice but to violate HIPAA when they needed a second opinion and the secure infrastructure of the hospital made sharing information nearly impossible.
There are similar disconnects between IT professionals and business users in other industries around the world. An investment banker I know was breaking company policy by using a mobile editor on his iPad that his company had blacklisted. He said he wasn’t worried, however, because the week before he had sat behind the company CIO at a meeting, and the CIO had been using the exact same editor! This is a pretty extreme case of “do as I say, not as I do.” In our mobile-enabled world ease-of-use is often given priority over security, and IT organizations need to realize that if they want to outlaw certain bad apps or tools, they need to provide solutions for the business professionals to get their work done in an “approved” way.
Mobile devices have made companies more competitive and faster paced than ever before, which is forcing business users to get their job done faster and with fewer resources, even if that means disregarding regulations and facing $50,000 fines. At the same time, IT departments are more budget constrained and overworked than ever before. Yet, IT is held responsible for the security of enterprise data. It is no surprise that IT is constantly trying to restrict the autonomy that business users have over organizational information, by issuing restrictive rules but not offering secure alternative tools or solutions.
When IT departments don’t anticipate business users’ needs, employees will revert to the easy-to-use solutions that they’re familiar with in their personal life. This means that workers are employing consumer-grade solutions to share, store and create enterprise content that could be subject to federal fines and regulations. Even enterprises that have minimal regulatory oversights are unlikely to want contracts, product roadmaps or other intellectual property being copied into multiple public clouds. The disconnect between IT departments and business users has come about due to the altered workflows that mobile devices have enabled combined with the tremendous speed of this change
Mobile devices are transforming workflows so rapidly that it’s difficult for anyone to keep up, particularly IT departments that are encumbered by existing infrastructure. In the age of mobile, new solutions need to take into consideration both security controls and ease-of-use functionality. Fortunately business grade solutions to improve mobile productivity are coming to market to address common use cases such as the those in the healthcare industry and these new solutions will help close the gap between IT departments and business users. So when I meet my IT friend next time, I will tell him all about these new solutions. But first I have to tell him to be a little more forgiving to the doctors.