Healthcare Orgs Must Do Better With Mobile Data Security Education

Posted on November 15, 2016 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

A new study finds that while most healthcare professionals use mobile messaging at work, many aren’t sure what their organization’s mobile messaging policies are, and a large number have transmitted Protected Health Information via insecure channels. In other words, it seems that health IT leaders still have a lot of work to do in locking down these channels.

According to a report by Scrypt, 65% of health professionals who use a mobile device at work also use the same device for personal use, the standard BYOD compromise which still gives healthcare CIOs the willies. Underscoring the security risks, 52% of respondents said that they had free reign over which applications they downloaded and used at work.

To be fair, virtually all respondents (96%) use at least one security method to protect the security of their mobile device. However, their one-factor efforts — usually passcode or PIN-based — may not be secure enough to protect such sensitive data.

The research also blows the whistle on the frequency with which health professionals share PHI using a mobile messaging clients (not surprisingly given that the vendor sells a secure mobile messaging solution). It notes that just a quarter of those who reported using mobile messages use a secure client, and that one in five have sent or received PHI via mobile message with names (24%), telephone numbers (19%) and email addresses (13%) included in the content.

Researchers found that 78% of healthcare professionals use mobile messaging at work. However, few understand how their organizations expect them to use these services. Fifty-two percent of respondents who use mobile messaging said they didn’t know or weren’t sure of what their organization’s policies were on the subject.

Showing some awareness of data security vulnerabilities, 56% of the survey respondents said they believe the organization could do more to educate employees on the rules around sharing PHI and HIPAA compliance. On the other hand, it seems like most consider this to be everybody else’s problem, as 80% of respondents reported that their own knowledge of HIPAA compliance was either good or very good.

Clearly, as self-serving as the vendor’s conclusion is, they’re onto something important. Not only are CIOs facing huge challenges in establishing a smart BYOD policy, they’re confronted with a major educational problem when it comes to sharing of PHI. While the professionals on their team may have been handed a mobile policy, they may not have absorbed it. And if they haven’t been given a policy, you have to be conservative and assume they’re not doing a great job protecting data on their own.

If nothing else, healthcare organizations can remind their staff members to be careful when texting at work – heck, why not text them the reminder so it’s in context? Bottom line, even highly intelligent and educated team members can succumb to habit and transmit PHI. So a nudge never hurts!