IT Security and Leaking Dam
I just saw this really good article on iMedicalApps, “How to Use DropBox in Medicine.” It explained in very easy terms what DropBox is and how it can replace your USB drive. Bascially, you can download PDFs, docs, emails, etc. into DropBox on your computer and it allows you to access them anywhere using your smart phone. You can also take something from your smart phone and save it to your DropBox using the smart phone app. DropBox items can also be shared with people, you create an individual link to any document in a particular Dropbox folder, then share the link with anyone. So if you read a really great article you can download the PDF to DropBox then share the link to your friend so they can read the article. It is kind of like having your office on the go.
While DropBox can be used for all sorts of things, the article on iMedicalApps describes how it can be used in Medicine. Of course the first thing I think of is security and patient data. To be fair iMedicalApps does not mention storing patient data on DropBox and I think they would be against that idea. As iMedicalApps mentions, the downfalls with DropBox and other cloud storage options are reliability and security. DropBox is probably perfectly secure for somebody wanting to store PDFs of articles and non-patient data. But you know that somewhere along the line somebody is going to start using the cloud to store something with patient data. So I have go to ask, is the IT department facing a losing battle when it comes to restricting access to only certain devices?
Many hospital IT departments have a strict policy on “approved” computer devices. In our institution the only approved smart phone device is an institutionally supported blackberry device. The iPhone, iPad, Androids, are all “consumer” devices” and doctors who use those devices cannot get those devices on the network. While I understand IT is rightly concerned about the security of data, but has technologies like DropBox made it so that IT should start re-thinking their stance. Should they be less concerned with device security and more concerned overall security? As ITs focus on specific devices (approved or not approved) are they kind of like the little kid with his finger in the leaking dam?
Overall patient data security has always been a concern. Before the cloud there is/was USB drives, before USB drives, there were burnable CD/DVDs, before burnable CD/DVDs there were floppy discs, before floppy discs there were (and still is) the photocopier.