There are two trends in healthcare that should give hospital IT professionals pause: BYOD and the Internet of Things. The bring-your-own-device (BYOD) trend is certainly not new, but hospitals are still figuring out how to navigate the security concerns. While BYOD is a trend in the corporate world, too, there are two major differences for hospitals. First, the folks accessing corporate networks are, almost exclusively, employees and they use corporate-owned devices for most of that access. Second, when they do use their own devices, they are mostly reading email, not accessing sensitive data.
Hospitals, however, have hundreds of physicians who are not employees who access their networks, and they want to use their own devices to log into applications to read medical records (containing some of the most sensitive data on the planet), order tests and prescribe medications. The idea of non-employees accessing data and applications of that level of sensitivity on personally owned devices would scare the daylights out of most corporate CIOs. And hospital CIOs are equally worried about the broader security concerns inherent with BYOD. How does one monitor or control the apps on all the different devices and make sure they are not a “back door” into sensitive systems and data?
The Internet of Things (no matter what you think of the moniker), is related to BYOD in that it could, depending on how hospitals set up their systems, introduce a vast array of new access points to the network. The “things” involved that concern hospitals are patient monitoring and diagnostic devices that are Internet enabled. Again, a very scary thought when you consider the sensitivity of the data that is being transmitted. While these wireless medical devices currently exist, they now communicate by way of Bluetooth, transmitting data via a smartphone or computer that relays the data to the endpoint. Once these devices become Wi-Fi enabled, however, that buffer will disappear, creating yet another access point to the network.
Both of these trends offer special security and interoperability challenges for hospitals. Developers are still working on how to merge this data with the various electronic medical records (EMRs) in use, but that’s the easy part. Data security is the more difficult issue. Not only do you need to ensure that unauthorized people do not access the network via any of these devices, you need to ensure security in transmission of the data. Again, this is a scenario that would (or at least should) create a high level of concern for any CIO.
Doctors are already demanding access by way of mobile devices, and many CIOs are making tough decisions now on BYOD policies. Some are deciding to not allow any outside devices on their network. For most hospitals, however, this is not a realistic solution politically. At least they have a couple of years to prepare for the Internet of Things, as many of these devices will need FDA approval before they can be used in the hospital setting.
One critical issue that should be addressed now is data storage. When dealing with sensitive data, the first line of defense is to keep the data in the data center and never store it on any device outside of the data center. If hospitals are still storing patient clinical and financial data on local desktops, laptops or mobile devices, they need to upgrade immediately to virtualized desktops that stay in the data center, along with all sensitive data and applications. It’s not the only security you need, but it is the foundation of any mobile strategy. The ROI on this expense is easy to see if you consider the cost of a single data breach, when the fines alone can run into the millions – not to mention the reputational cost. Even without BYOD and the Internet of Things, virtual desktops are fast becoming the only acceptable model for accessing medical data.
CIOs will also need to balance the need for security with physicians’ need for easy access – a task made more difficult by the fact that, when it comes to patient care, physicians are not patient people! As a physician myself, I know the urgency doctors feel when they see a better way to care for a patient. They want that change to happen now, not next year, and that urgency must be taken into account when making decisions that affect network access. On the other hand, CIOs must be careful not to be rushed into solutions that provide easy access but don’t ensure the high level of security the data demands. It is the ubiquitous duality of all healthcare IT – security and access are both paramount, and each causes challenges for the other.