Health systems used to be able to secure personal health information by locking up all the files at the end of the day. Those days are long gone.
The advent of mobile technology means that today's healthcare providers not only have to deal with staff and patients with mobile devices, but computer networks and wired and wireless equipment that could be hacked. And don't forget the supply chain, linen services, food prep and delivery, janitorial services, even the little mom and pop stores that accept online orders and deliver flowers and Teddy Bears.
[Learn more about the 2015 mHealth Summit.]
One-third of all data breaches in healthcare occur through vendors, said Grant Elliott, founder and CEO of Ostendio, an Arlington, Va.-based compliance and risk management company. And that percentage is expected to rise.
"The way of delivering care is changing, and health systems are going to find it increasingly more difficult to ensure that their data is being protected," he said.
Elliott, who's also president and co-founder of the non-profit Health Care Cloud Coalition (HC3), is one of several featured speakers at "Security Strategies for Breach Prevention," a session at next month's mHealth Summit 2015. He'll be talking about best practices for securing against ransomware, spear-phishing and social media attacks, among other threats.
Privacy and security issues will be sharing much of the spotlight at this year's mHealth Summit, one of three summits presented under the Connected Health Conference banner (in fact, one of the two new events is the CyberSecurity Summit). Rarely does a week go by that the healthcare industry isn't rocked by a data breach, endangering the sensitive health information of patients and costing providers prestige and lots of money in fines and recovery efforts.
With that type of activity, it's no surprise that the privacy and security business landscape is booming, with hundreds of high-tech startups promising to put your data in the cloud and keep it there, away from the prying eyes of hackers and safe from the likes of employees who can't keep track of their smartphones, laptops and thumb drives. That's why it's important for health systems to work with their legal teams to thoroughly vet their vendors and make sure the proper business associate agreements are in place.
Elliott said many of the smaller, more nimble security firms have good products and methods, but it's important that a health system conduct due diligence to weed out the good from the not-so-good. Health systems have to know what to look for, establishing expectations that their security vendors have to meet and ensuring that the vendors are transparent in their compliance.
In addition, Elliott said, health systems need to train their staff to recognize when they're being scammed, and to learn what online activities lead to breaches. "It's not just about the technology," he said, but also about creating a culture of responsibility.
"It's like installing the most sophisticated security system in the world for your house, but not teaching the family how to use it," he said.
"Security Strategies for Breach Prevention" takes place from 1-2 p.m. Monday, Nov. 9, in Maryland Ballroom B.
The 7th annual mHealth Summit, part of the HIMSS Connected Health Conference, takes place Nov. 8-11 at the Gaylord National Resort and Convention Center, just outside Washington D.C.