For many health-care organizations, the deadline to comply with the Health Insurance Portability and Accountability Act has come and gone. But for wireless security companies, there’s no end in sight.
Originally passed in 1996, HIPAA establishes rules for handling and securing medical records and other patient information in all forms. According to the act, larger health-care providers had until April 20 to deploy secure measures for storing and transferring electronic information for protected health information (PHI) on computers and mobile devices.
While there’s been a flurry of activity from organizations scrambling to meet the requirements, many more are still working to comply, said Bob Heard, president and chief executive officer of Credant Technologies, a Dallas-based mobile security software developer.
“Even though the deadline has passed, many organizations are in the deployment phase,” said Heard. “At least one-third to half of our total (sales) pipeline is related to HIPAA.”
In fact, Credant saw its revenue jump 1,300 percent during the first quarter vs. the same period last year, Heard said, largely due to the impending mandate. “We have seen a significant increase in momentum and customers deploying just within the last three to four months or so,” he said.
Further, it seems the need for such technology among health-care providers may only increase in the short term despite the passed deadline. One survey last year found that 22 percent of health-care providers remained noncompliant with another HIPAA provision more than a year after its effective date.
The need to protect sensitive digital information was highlighted again last week when a Houston hospital said a stolen computer may contain medical records and other data from hundreds of its patients. While police said the thieves were likely interested only in the hardware, the hospital sent letters to 16,000 patients explaining the incident.
Perhaps the biggest problem such organizations face is managing the devices of its employees-the laptops, personal digital assistants and phones that are purchased by doctors, nurses and administrators for both personal and professional use. As more health-care professionals look to their handsets to do everything from writing prescriptions to researching diseases, the possibilities for a security breach increase exponentially.
“I think where the biggest vulnerabilities are is not the centralized management databases; it’s on the mobile edge, where all of a sudden there are all these devices” in the field connecting to back-end systems, said Michael Riemer of Trust Digital, a Virginia-based mobile security company. “They’re much more likely easily lost or stolen than a computer chained to a desk.”
Indeed, lost or stolen devices appear to be the greatest wireless security threat organizations face when it comes to protecting data. The more advanced many of these handsets become, though, the more potential vulnerabilities they may have. Technologies like Bluetooth can provide a chink in the armor of a wireless device, and damaging worms and viruses are targeting handsets at an increasing rate. Even the simple act of using a Web-enabled phone to access information can pose a risk.
“As these mobile devices are connecting wirelessly to the Internet, they are broadcasting their IP address,” explained Heard. “That Internet connectability gives (health-care professionals) the ability to have that anytime, anywhere connection, but you need some protection and controls.”
So government agencies and software developers have been working with hospitals and other organizations to stress to their employees the importance of working with their information technology departments to secure information on such devices. In fact, said Heard, many in the health-care industry have come to view HIPAA not as a regulatory burden but as a way of cutting costs as they minimize risks.
“One common theme I’ve seen is that organizations that embrace [HIPAA] have determined that it can drive efficiencies within their own organizations, which can reduce cost as well as gain a competitive advantage,” Heard said. “They’re looking at it not as a necessary evil but as a way to gain market share.” RCR