To avoid violating regulations, which could result in tens of thousands of dollars (or more) of fines and negative publicity, healthcare providers must ensure that their facilities are in compliance and be constantly on the lookout for security threats.\nAnd \u201cwhile the governance of information causes headaches for IT leaders across all industries, when it comes to healthcare, the myriad of confidentiality and privacy concerns for CIOs and health information management administrators creates added complexity,\u201d says Ken Mortensen, data protection officer at InterSystems. One slip-up and \u201cIT leaders risk exposing [sensitive] health information, or, even worse, contributing to an unfortunate patient outcome.\u201d\n\n[ 10 health IT conferences you shouldn\u2019t miss in 2017 ]\n\nFollowing are four of the biggest IT issues hospitals and healthcare facilities must deal with and steps they can take to avoid violations and breaches.\nHIPAA compliance\n\u201cHIPAA [the Health Insurance Portability and Accountability Act] states that healthcare providers must use \u2018appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information,\u2019\u201d says Kate Borten, founder of The Marblehead Group. \u201cThis caveat has become a headache for healthcare IT managers, especially as more healthcare teams are using mobile devices to view sensitive patient data outside the walls of healthcare facilities. This can make it all too [easy] for hackers to view and capture sensitive or confidential patient information for unauthorized use.\n\u201cFortunately, there are a number of ways healthcare teams can reduce the risk of hacking and improve the physical security and privacy of patient information,\u201d she says. Hospitals can install or require privacy screens or filters be applied to all computers and mobile devices, to prevent prying eyes from seeing confidential information. And they can require that all data be encrypted.\u00a0\n\u201cIt\u2019s imperative that more\u00a0healthcare\u00a0organizations adopt stricter data\u00a0encryption\u00a0policies based on PHI disclosures,\u201d says Ken Adamson, vice president of product management at Proficio.\u00a0\u201cEncryption\u00a0should be embedded directly into files [as well as used in email], with set user permissions to control who accesses information. If\u00a0healthcare\u00a0organizations don\u2019t use\u00a0encryption, they run the risk of having to pay hefty fines in the event of a data leak.\u201d\nIt is also important that any \u201cvendors they work with must be able and willing to enter into HIPAA Business Associate Agreements (BAAs),\u201d says Ryan van Biljon, vice president, mid-market at Samanage.\nRansomware attacks\n\u201cMore than 4,000 ransomware attacks occur daily, the majority of them in healthcare, thanks largely to the high value of medical data on the black market,\u201d says Rod Piechowski, senior director of health information systems at HIMSS. \u201cIn addition to recovery costs and collateral damage to the brand, ransomware can also be a threat to an organization\u2019s HIPAA compliance, because it compromises the security of confidential patient data.\u201d\nTo address this problem, hospitals and healthcare facilities need to implement \u201ca good, stress-tested security program that allows [them] to identify, protect, detect, respond to and recover from security incidents,\u201d he says. The program should also \u201ceducate, train, and test system users on phishing, a common mode of delivery for ransomware\u2026 [and] regularly update and patch all systems, including web plug-ins.\u201d\nUnsecure medical devices\n\u201cAn increasing risk to healthcare networks is the ever-expanding number of internet-connected devices, such as medical devices [e.g., MRI machines], most of which are not secure or engineered to be secure,\u201d says Mac McMillan, president & CSO at\u00a0CynergisTek. \u201cThis is fast becoming the biggest shadow IT nightmare for IT managers and compliance officers.\u00a0[And] managing this challenge requires asset management, strict controls on the network, network segmentation considerations, inventories and tracking of devices, [as well as] monitoring manufacturer sites for patches and upgrades.\u201d\u00a0\nMoreover, \u201chealthcare organizations must ensure that their system acquisition process includes a thorough security review before purchases are made, and that the selected systems are updated as needed to remain secure,\u201d says Trent R. Hein, cofounder & co-CEO of AppliedTrust.\nBYOD\n\u201cHealthcare is trending toward BYOD because it combines impressive computing power and modern user interfaces with portability and unobtrusiveness, giving physicians the flexibility to use the device they\u2019re most comfortable with,\u201d explains James Plouffe, lead solutions architect of the ServiceConnect Ecosystem, at MobileIron.\n\u201cHowever, as technology becomes more mobile, data has become more portable and can get outside of a healthcare organization in unexpected ways,\u201d he notes.\n\u201cIn order for these devices to be HIPAA compliant, they must have a number of security features in place that preserve PHI,\u201d says Marianna Prodan, senior product manager of healthcare at Accellion. \u201cSecure access to content systems, a mobile container that segregates patient information from other information, two-factor authentication, offline PIN, the ability to wipe content from the phone remotely and app white listing are just some of the key mobile security features healthcare CIOs should look for when deploying mobile devices in their organizations.\u201d\u00a0\nIn addition, healthcare providers should use \u201ctools like the Apple Device Enrollment Program (DEP) or Android Enterprise Device Owner Mode (DOM), [which] give [hospital] IT personnel ways to enable additional security capabilities and ensure that policies follow the data wherever it goes, rather than solely focusing on data within the walls of the health system,\u201d says Plouffe.