By combining technology, best practices, and education, IT departments can safeguard even the most mobile healthcare departments.
(Click image for larger view and slideshow.)
Insecurities lurk beneath the surface of the fast-growing world of mobile healthcare, putting data at risk. But organizations can protect patient data by implementing a mix of technologies and best practices.
The practice of using mobile devices in healthcare is growing. More than half — 51% — of physicians use tablets for professional purposes and 74% use smartphones at work. The mobile monitoring and diagnostic medical devices market will reach $8.03 billion by 2019, compared with a mere $0.65 billion in 2013, according to Transparency Market Research. This year alone 90 million wearable health devices will ship, reported ABI Research.
Add in the growing number of patients who access their records electronically, the doctors’ offices that schedule appointments via text or app, and the offices that wirelessly share data, and the message is clear: Mobile must be secure and HIPAA-compliant. That is not, however, always the case.
“The sheer number of people and devices with access to health information expands, making it much more complex for organizations to create mobile policies, manage data leakage controls, and conduct regulatory analysis,” says Mike Raggo, security evangelist at MobileIron, in an interview. “Mobile devices are ubiquitous in healthcare organizations, supporting part-time physicians and nurses working shifts that share devices. The plethora of health information accessible on these devices makes protecting against data loss challenging.”
There are, however, steps healthcare organizations can take to decrease the possibility of data loss, which typically occurs when a device itself is lost or stolen, when rogue apps siphon off data, or when an employee undertakes well-intentioned but risky actions, such as sharing files through public cloud services, he says.
Enterprise mobile management best practices include:
- Managing all devices, as well as constantly maintaining security settings and configurations.
- Enabling remote lock and wipe, so unauthorized users (such as ex-employees) are easily removed from the system.
- Full device or app-by-app encryption that’s monitored and enforced.
- Enforcement of device-level passwords.
- Monitoring the operating system’s integrity to avoid usage of compromised versions.
- Implementing an auto-wipe policy to minimize the risk of attacks via lost or stolen devices.
- Secure email and attachments to prevent malware being spread from personal accounts.
- Protecting application data by encrypting app data for operating systems such as Android or deleting app data if a device is non-compliant.
- Prevent untrusted file-sharing apps from accessing secure documents.
- Log devices and actions for audit.
“Recent attacks on data have certainly reinforced the need for a new generation of data security approaches. Healthcare CIOs who focus on risk mitigation through user enablement will become more prominent in the C-suite. Those that focus on risk mitigation through restriction will lose power,” Raggo says. “The former understand that security is about behavior and they reward the right behavior. The latter inevitably encourage the wrong behavior and damage both their credibility in the C-suite and the security posture of the ‘mobile first’ organization.”
In addition to best practices and technologies that address encryption, passwords, and other traditional security measures, mobile device management plays an important role in safeguarding compliance, Paul Martini, CEO and co-founder of iboss Security Network, tells InformationWeek. MDM sales are expected to reach $3.94 billion by 2019, versus $1.01 last year, Markets and Markets estimated. The expense, which has prevented some organizations from adopting the technology, is easing — more developers are in the market — and the cost of being non-compliant is too high for healthcare facilities.
“[MDM] solutions allow an organization to get a handle on mobile devices by providing tools for grouping devices, forcing device passwords, forcing storage encryption, and wiping devices if they become lost or stolen,” says Martini. “In addition, healthcare organizations should implement a BYOD policy for devices not belonging to the organization. A combination of technology and training is required to maintain a HIPPA compliant environment.”
Mobile security requires a multi-pronged approach, says Paul Trulove, vice president of products at SailPoint, in an interview.
“The combination of MDM and identity and access management (IAM) is much more powerful, as it can help align policy and establish consistent, centralized access controls across the organization. They can also tie mobile information back to the infrastructure in terms of identity data and making it part of the on-boarding and off-boarding process,” he says. “For example, if they do not wipe a person’s device once they leave an organization, the organization can potentially be liable and at risk for any data left on a person’s device.”
Technologies are not the only defense in IT’s arsenal. An educated workforce helps reduce the possibility of breaches, Martini says.
“Healthcare professionals can do simple things such as have awareness of actions and their consequences. For example, through training, professionals can be made aware that it’s not ok to email a patient record, as the transmission may not be encrypted and the destination may not be HIPPA compliant. They should avoid storing or viewing any patient documents on their personal devices. It doesn’t require high tech in order to make a big difference.”
