Clinicians are so in love with their mobile devices that these gadgets may soon become the preferred computing devices in healthcare, eventually replacing desktops, cart-bound workstations, and other traditional hardware. But that love affair comes at a price.

Mobile devices pose several scary security issues that your IT team needs to deal with sooner rather than later. Many devices are lost or stolen. In fact, according to the U.S. Department of Health and Human Services' HIPAA breach site, to date, of the 364 data breaches affecting 500 or more individuals, the vast majority have involved lost or stolen laptops, flash drives, or other mobile gear, as well as lost or improper disposal of paper documents.

So, what's the right strategy to keep mobile devices secure? Top of mind should be a solid overall security strategy, i.e., policies and a framework that covers all health IT within the environment, said Jared Rhoads, senior research specialist at IT consulting and systems integration firm CSC. "It should fall back to a security plan and policy for everything, including desktops, VPNs, as well as mobile."

Regards mobile devices specifically, "the key issue is maintaining control over data once it leaves the premises," said Nalneesh Gaur, director of PricewaterhouseCoopers health information privacy and security practice. "If you look at the HHS site about HIPAA violations, it's astounding to note that mobile devices are involved in many or most incidents," he said in an interview with InformationWeek Healthcare.

[ Today's mobile devices have transformed medical care in unprecedented ways. For an in-depth look at exactly how clinicians are using these tools, tune into the InformationWeek Healthcare Webcast The Mobile Point of Care: Making the Right Choices]

For starters, users have to be educated about your organization's mobile device do's and don'ts. "Provide well-defined policies for personal device connectivity and usage to mitigate potential data loss," suggests Karen Mihelic, director of IT security compliance at St. Joseph Health System, which operates several hospitals in California and Texas. To help prevent sensitive clinical information from becoming vulnerable, "Don't allow downloading of any clinical data onto devices, including email," said Bill Lazarus, VP technology and architecture of St. Joseph Health System in an interview with InformationWeek Healthcare.

SJHS uses security software from Good Technology, which allows IT security organizations to control which applications mobile users can access. Good's enterprise tools also provide SJHS with advanced end-to-end encryption, lockdown control capabilities and remote wipe for lost or stolen devices. This allows both business and personal apps to co-exist on a personal device within a “contained and secured” environment, Lazarus said.

Meanwhile, the application architecture at Partners Healthcare, an integrated health delivery network that includes Massachusetts General and Brigham & Women's, "leaves no clinical data on mobile devices at all," according to Steve Flammini, Partners chief technology officer.

In addition to Partners providing physicians with an EHR for their smartphones, mobile tablet users can get access to other apps through a Citrix cloud. When accessing Partner's EHR or other clinical applications, users are faced with a security framework that includes passwords and other authentication. Partners' home-grown EHR, like many of its other clinical applications, is built around InterSystems Corp.'s Cache object-based database and a service-oriented architecture. That architecture "is key to how this works," he said.

Encryption of data in healthcare is important overall, but especially on mobile devices because they're more likely to get lost or stolen, said Mike Garzone, practice director for CSC's US Commercial Health Delivery Sector. Data should also be encrypted as it's being transmitted from these devices, he said.

Don't Forget Strong Authentication

Strong authentication, as well as communication to patients and families about an organization's security policies, should also be part of a healthcare provider's security arsenal to protect mobile devices. At SJHS, the organization in general requires all devices to have passwords enforced, so the device at least contains one factor authentication for their own personal security as well as company related security.

However, that's not the case for patients, family and others who come in to SJHS facilities with mobile devices. They are allowed to use SJHS' guest network. For instance, pediatric patients can play online games or stay in touch with parents at work. "This is meaningful to patients," said Lazarus. "We do not require authentication for personal devices as our guest network is isolated from our internal network," said Lazarus.

The SJHS guest network provides external internet access from which a user could also access SJHS's web portal, he said. If internal data is required, such as by a physician using a personal device, the portal would then require the authentication, he said. "We do require all personal device users accessing the guest network to accept our terms and conditions of use which includes a release of liability," he said.

Authentication can be ramped up, too. New biometrics capabilities, such as face recognition, fingerprint or retina scanning--frequently used in government settings--is still rare at most healthcare organizations, but it's starting to pop up in some places, said Garzone. As those technologies evolve and become more affordable, they're likely to be used more frequently in healthcare, too.

Passwords are another issue to consider. A recent survey by security products vendor Confident Technology found that more than half of mobile device users do not password-protect their smartphones and tablets, even though they connect to corporate networks. Healthcare providers should insist that personal mobile devices are password protected as a condition to using an organization's network.

The mix of mobile devices that can show up in a healthcare setting can also vary greatly depending upon the particular gadgets and trends favored by users at any particular time. At Partners Healthcare, a mobile version of Partners home-grown mobile EHR is available to physicians on iPad and iPhones. When Partners began contemplating a mobile version of its EHR several years ago, the Blackberry was the device of choice. Today, there's less demand for the EHR on Blackberry, but lots of interest among doctors for using their Android devices with Partner's EHR, which is a capability next on Partners' to-do list.

Once considered less secure than the iPhone, "The gap with Android is closing," said Flammini. "Third party device makers are tightening up Android security to make it enterprise ready," he said. "Apple still dominates in the physician community, but we have some vocal doctors about [wanting support for] Android," he said.

At some point down the road, SJHS may also let clinicians use Android devices to access patient data, which for mobile use would get segregated on Good for Enterprise. "The data goes through antiviral and malware and is cleaned up," said Mihelic in an interview with InformationWeek Healthcare.

More Than Just iPhones and iPads

Of course, smartphones and tablets aren’t the only mobile devices being used in a healthcare environment. Laptops and wireless workstations on carts, mobile CTs and MRIs that have IP addresses are also part of the mix, and they all make security management more complex in healthcare than in many other industries.

Managing all these mobile devices in the healthcare environment also means knowing how many of these devices are there in your organization. That’s not always as easy as it sounds.

Before Miami Children’s Hospital put ForeScout's CounterACT appliance into place, Miami Children's IT organization thought the hospital had 3,000 devices in its network, "but when we plugged in the CounterACT appliance, we found 5,600 devices," said the hospital's CIO Alex Naveira. "Now we have eyes into what is out there, and we can develop rules to segregate the devices and their access privileges.” CounterACT is a security control platform that automatically identifies what devices and users are on a network, controls access to the network, blocks threats, remediates security violations at endpoints, and measures compliance to an organization's security policies.

"For any kind of device, there are technology safeguards to protect patient data," Naveira said in an interview. That includes the use of "encrypted messaging solutions" for communication between clinicians, and patient and clinicians. "It's a work in progress, I never say I'm done, we're always working to make it better," he said.

Because healthcare is a heavily regulated industry that's also increasingly under the microscope for compliance with security and privacy rules of HIPAA, it's important that healthcare providers stay informed not only about the latest security technologies but also about the latest threats. And like Alex Naveira suggests, it's a never ending battle.