This paper examines two major healthcare security threats β the use of personal mobile devices (BYOD) in the workplace and the theft of medical records β in the context of HIPAA and HITECH requirements. Drawing on survey data and industry reports, the paper outlines the scale of recent data breaches, the challenges organizations face in recruiting skilled cybersecurity talent, and the budgetary pressures compounding these vulnerabilities. It concludes with actionable recommendations including data encryption mandates, BYOD policy development, investment in staff training, and cyber insurance as components of a comprehensive data breach response strategy.
The increasing rate of highly publicized security breaches has sparked significant changes in the attitudes of consumers and business owners alike. Business leaders can no longer ignore the dramatic consequences that security breaches have on company reputation. Meanwhile, consumers now demand more remedies and clearer communication from organizations following a security breach incident. This subject therefore remains one of the greatest priorities confronting businesses in all sectors, including healthcare under HIPAA and HITECH frameworks.
Two principal security threats stand out in the healthcare context: the use of personal mobile devices (BYOD) and medical records theft. Data theft is particularly acute when employees use mobile devices β especially personal ones β to access company information, share data, or neglect to update mobile passwords. According to a recent survey, mobile security breaches have affected over 70% of international firms in the last twelve months alone (Gupta et al., 2012). As more companies adopt BYOD practices, they face increased exposure from those devices on the corporate network, including through VPN connections. This risk is compounded when an application installs malware that can access the device's network connection.
Healthcare security is currently a global concern. In 2015, medical records of over 40 million Americans were breached (Gupta et al., 2012). Nearly half of these breaches resulted from cyber attacks, and a single attack exposed over five million patient records. Given the increasing value of medical records on the black market, it is only a matter of time before more fraudsters begin systematically targeting healthcare organizations and hospitals. A survey by the Ponemon Institute highlights that the rise in medical identity theft has triggered an increase in unbudgeted costs for the healthcare sector, compounding existing budgetary pressures. Estimates indicate that roughly 70% of victims pay insurers, healthcare providers, lawyers, and identity theft services out of pocket, with average costs reaching $14,000 per case (Dawson & Omar, 2015).
Organizations need IT engineers and specialists with sophisticated skills to defend against advanced cyber attacks. However, finding such talent has become increasingly difficult. This problem is made worse by several contributing factors:
Stiff competition. In the business world, competition for top security experts is fierce. As companies and hospitals adopt electronic health records, they require more robust security to safeguard sensitive patient data.
Budget constraints. As demand for security talent rises and the supply of qualified professionals declines, compensation for security engineers has climbed sharply, leaving many organizations unable to afford the expertise they need.
Outdated technology. Companies across all industries remain highly vulnerable to attacks because they are slow to adopt new technologies and updated software, leaving known security gaps unaddressed for extended periods.
"Encryption, BYOD policy, education, and cloud solutions"
Data encryption. Companies should prioritize data encryption on all portable devices. Reports indicate that from 2010 to the present, the theft or loss of unencrypted portable devices has been responsible for all breach incidents affecting over 50% of all medical records placed at risk (Hea, 2010). Encryption does carry hurdles β including budgetary constraints, user training requirements, and technological complexity β but these costs cannot compare with the expense of a major breach involving a stolen device containing protected health information (PHI). Attorney fees, forensic investigation, reparations, civil penalties, and negative publicity can run into millions of dollars.
Investment in education and talent development. The breach problem is partly linked to how organizations approach hiring IT talent. Many organizations favor cost savings over education, causing young, promising professionals to be overlooked for positions that require advanced skills (Gupta et al., 2012). Building stronger partnerships between universities and employers could help better prepare the next generation of security professionals. Such relationships could promote training opportunities and internship programs to develop young talent and connect them with employers. Companies should also invest in professional development, ongoing training, and security seminars for current staff. Staying ahead of hackers requires organizations to remain current with the latest software and technology (HHS, n.d.).
BYOD policy development. Regarding BYOD, companies must ensure they have a clearly articulated BYOD policy (Hea, 2010). A formal BYOD policy enables employees to better understand device expectations, and allows organizations to more effectively monitor documents and emails being downloaded to company or personal employee devices. Effective monitoring gives organizations visibility into potential mobile data loss, enabling them to identify exposures when mobile devices are stolen or lost (Dawson & Omar, 2015).
With the growing presence of unsanctioned consumer devices and applications in the workplace, security professionals should look to private and hybrid cloud solutions to mitigate the threats posed by this trend. These options provide the flexibility and capacity of the public cloud to manage large volumes of data and devices β including the ability to maintain encryption keys on-site regardless of where the information is stored. This approach helps organizations manage devices and applications consistently across the enterprise (HHS, n.d.).
Organizations must remain vigilant and take preventative measures to protect their sensitive data. This paper has outlined several best practices that organizations can adopt, including data encryption, talent investment, and BYOD policy enforcement. Organizations must increase investments in security technologies and acknowledge the realistic likelihood of a breach by developing a formal data breach response plan. Cyber insurance policies have similarly grown in importance as a component of a comprehensive security preparedness strategy.
Dawson, M., & Omar, M. (2015). New Threats and Countermeasures in Digital Crime and Cyber Terrorism. http://public.eblib.com/choice/publicfullrecord.aspx?p=3433273
Gupta, M., Walp, J., & Sharman, R. (2012). Threats, Countermeasures, and Advances in Applied Information Security. Hershey, PA: Information Science Reference.
Hea, C. M. P. S. (2010). For the Record: Protecting Electronic Health Information. Washington: National Academies Press.
HHS.gov. (n.d.). HIPAA Privacy, Security, and Breach Notification Audit Program.
You’re 96% through this paper. Sign up to read the remaining 1 section.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.