With increasing interest from the healthcare industry in cloud hosting and services, a recently published infographic from Arxan caught my eye. It highlights some of the differences between perception and reality around how secure mobile applications are in this sector.
The UK healthcare sector, and particularly the NHS, has changed and re-formed more in recent years than ever before. In the face of significantly reduced budgets and alongside huge demands to reduce costs and increase efficiency, radical cuts are being made and new technologies introduced - including mobile apps - in order to reshape the industry from top to bottom. Many healthcare organisations are now implementing new digital strategies and mobile apps as the organisations and their workforces become more flexible, agile, remote and mobile.
Like many industries, more and more employees in healthcare are using mobile applications to perform more effectively in their jobs, which means more and more sensitive data is constantly passing through these applications. This is driving a growing need to safeguard the confidential data on employees’ smartphones and tablets.
Organisations in the healthcare industry, however, face many challenges with regards to the safeguarding of data. Firstly, there’s the nature of the kind of information they have access to. This isn’t just financial data that could affect a company’s bottom line; it also includes individuals’ health records; sensitive information that could seriously harm people’s personal lives if it were to get into the wrong hands. In addition to this is the nature of how many healthcare organisations operate. We’re not talking about traditional office structures here. Doctors, nurses and other hospital staff are rarely tied to one workstation all day, more commonly moving around their workplace.
In data access regulation, we often talk about operating on a ‘need to know’ basis, with restrictions being based on the necessity of each individual to do their job. When we’re talking about healthcare, it’s of the utmost importance to get this right, as often ‘need to know’ literally means a question of life or death. Consider the doctor who needs to check his or her patients’ allergies before administering urgent medication. Having that information to hand at the right time and the right place is not just a matter of convenience; getting these restrictions right is crucial. On the one hand, it is imperative that patients’ sensitive data is safeguarded, but on the other it’s of equal importance that the right people have the access necessary to do their job, whenever and wherever they need it.
This is why the healthcare industry is among the most regulated with regards to data security. In the US, healthcare providers must adhere to the federal law of the Health Insurance Portability and Accountability Act (HIPAA).
In the UK, private providers that also operate in the US will need to adhere to HIPAA too, but in the public sector, the National Health Service has security policies for England, Wales and Scotland. While not law, these policies aim to safeguard patient data and ensure organisations within the NHS adhere to the Data Protection Act (DPA). This has recently taken on greater significance since the Information Commissioner’s Office (ICO), which enforces the DPA, was given greater authority by the UK government earlier this year to audit NHS organisations’ data security.
However, the challenge is much broader than simply securing devices on a network. Organisations also need to secure systems and infrastructure right from the server to the end user, no matter where that infrastructure might be - most of which is likely to be in the cloud.
With the growth of IoT, mobile devices and cloud being key IT trends, companies need to ensure that their end-to-end attack surfaces are all fully protected. This is clearly evident from the many infrastructure breaches we have seen recently in the press - from the well-known UK telecoms provider that suffered a well-publicised infrastructure breach at the end of October 2015, to lesser-known small and medium-sized businesses that have been completely levelled by a cyber-attack.
This is one of the reasons why we have invested in making sure that our Cloud Hosting for HIPAA compliance is built from the ground up with security features, reporting, adherence to a BAA (Business Associates Agreement), and professional services to ensure that healthcare companies can leverage all the benefits of cloud computing while meeting the requirements of HIPAA in a hassle-free way.
With more healthcare companies adopting cloud than ever before, the cloud infrastructure that employees are working from also needs to be just as secure to cope with a security breach and protect all of that data.
Making sure your cloud networks, infrastructure, applications and data are as secure as possible is a vital part of leveraging the mobile application trends that have the potential to deliver so many great benefits to the healthcare industry.
Monica Brink, EMEA Marketing Director, iland
Image Credit: Rob Hyron / Shutterstock