Lax mobile device security policies worry health IT managers

Inadequate security policies for mobile devices are a major concern of IT professionals, according to a CDW "straw poll" of IT managers in healthcare, financial services, higher education, and other kinds of businesses.

Among the healthcare respondents, 71 percent said their organizations had an effective security policy; 57 percent said those policies are uniformly deployed for employee- and employer-owned mobile devices; and 66 percent said they had defined security procedures for employee-owned smartphones. Sixty-eight percent of the healthcare organizations allow employee-owned devices to access their networks, but information security measures for employer-owned devices are often stricter, the survey showed.

In healthcare, the number of people accessing organizational networks increased 50 percent in the past two years. The survey found that the biggest drivers for this increase are growth in the number of office locations (61 percent), mobile device deployment (59 percent), and EHR implementation (47 percent).

The poll asked all of the IT managers what type of security breach worried them the most. Of the 654 respondents, 32 percent said "data loss." Other concerns included malicious attacks (18 percent), "evolved forms of current threats" (14percent), social engineering (13 percent), bots (9 percent), and mobile threats (8 percent). Half of the IT managers said that personally identifiable data was the most likely target of cyber attacks.

The most common methods of data protection were web security filters and various types of encryption, including encryption of storage, backup, email gateway, and full disks. Only 35 percent of respondents felt their organizations did a good job of protecting their data overall.

A key contributor to security issues is the increasing mobility of data. Respondents reported that the number of people accessing organizational networks has grown by 41 percent, on average, in the past two years. That is nine percentage points lower than the average in the healthcare category.

Fifty-nine percent of the IT managers said that both employer-owned and employee-owned mobile devices were able to tap into their networks. In 30 percent of their organizations, only employer-owned devices could access networks; in nine percent of them, only employee-owned devices could connect. In the majority of cases, company policies regarding employee-owned devices were lax or non-existent.

In a survey published last month that also compared health data security to that of other industries, the Ponemon Institute found that the average organizational cost of a data security breach dropped 24 percent in 2011. In healthcare, in contrast, the average cost grew 10 percent, and the number of incidents jumped 32 percent.

Additionally, in a report released last week by HIMSS and Kroll Advisory Solutions, the authors concluded that hospitals and healthcare organizations need to be more proactive in maintaining data security. The report's authors noted that an increase in regulation and "better articulated guidance" has created a "false sense of security" for many organizations.

To learn more:
- download the report