Healthcare // Security & Privacy
News
6/3/2014
10:46 AM
50%
50%

Securing Mobile Healthcare Devices: Best Practices

By combining technology, best practices, and education, IT departments can safeguard even the most mobile healthcare departments.

10 Medical Practice Management Systems For 2014
10 Medical Practice Management Systems For 2014
(Click image for larger view and slideshow.)

Insecurities lurk beneath the surface of the fast-growing world of mobile healthcare, putting data at risk. But organizations can protect patient data by implementing a mix of technologies and best practices.

The practice of using mobile devices in healthcare is growing. More than half -- 51% -- of physicians use tablets for professional purposes and 74% use smartphones at work. The mobile monitoring and diagnostic medical devices market will reach $8.03 billion by 2019, compared with a mere $0.65 billion in 2013, according to Transparency Market Research. This year alone 90 million wearable health devices will ship, reported ABI Research

Add in the growing number of patients who access their records electronically, the doctors' offices that schedule appointments via text or app, and the offices that wirelessly share data, and the message is clear: Mobile must be secure and HIPAA-compliant. That is not, however, always the case.

[Understand the impact: How Mobile Devices Reshape Patient Care.]

"The sheer number of people and devices with access to health information expands, making it much more complex for organizations to create mobile policies, manage data leakage controls, and conduct regulatory analysis," says Mike Raggo, security evangelist at MobileIron, in an interview. "Mobile devices are ubiquitous in healthcare organizations, supporting part-time physicians and nurses working shifts that share devices. The plethora of health information accessible on these devices makes protecting against data loss challenging."

There are, however, steps healthcare organizations can take to decrease the possibility of data loss, which typically occurs when a device itself is lost or stolen, when rogue apps siphon off data, or when an employee undertakes well-intentioned but risky actions, such as sharing files through public cloud services, he says.

(Image: PurplesLog/Flickr)
(Image: PurplesLog/Flickr)

Enterprise mobile management best practices include:

  • Managing all devices, as well as constantly maintaining security settings and configurations.
  • Enabling remote lock and wipe, so unauthorized users (such as ex-employees) are easily removed from the system.
  • Full device or app-by-app encryption that's monitored and enforced.
  • Enforcement of device-level passwords.
  • Monitoring the operating system's integrity to avoid usage of compromised versions.
  • Implementing an auto-wipe policy to minimize the risk of attacks via lost or stolen devices.
  • Secure email and attachments to prevent malware being spread from personal accounts.
  • Protecting application data by encrypting app data for operating systems such as Android or deleting app data if a device is non-compliant.
  • Prevent untrusted file-sharing apps from accessing secure documents.
  • Log devices and actions for audit.

"Recent attacks on data have certainly reinforced the need for a new generation of data security approaches. Healthcare CIOs who focus on risk mitigation through user enablement will become more prominent in the C-suite. Those that focus on risk mitigation through restriction will lose power," Raggo says. "The former understand that security is about behavior and they reward the right behavior. The latter inevitably encourage the wrong behavior and damage both their credibility in the C-suite and the security posture of the 'mobile first' organization."

In addition to best practices and technologies that address encryption, passwords, and other traditional security measures, mobile device management plays an important role in safeguarding compliance, Paul Martini, CEO and co-founder of iboss Security Network, tells InformationWeek. MDM sales are expected to reach $3.94 billion by 2019, versus $1.01 last year, Markets and Markets estimated. The expense, which has prevented some organizations from adopting the technology, is easing -- more developers are in the market -- and the cost of being non-compliant is too high for healthcare facilities.

"[MDM] solutions allow an organization to get a handle on mobile devices by providing tools for grouping devices, forcing device passwords, forcing storage encryption, and wiping devices if they become lost or stolen," says Martini. "In addition, healthcare organizations should implement a BYOD policy for devices not belonging to the organization. A combination of technology and training is required to maintain a HIPPA compliant environment."

Mobile security requires a multi-pronged approach, says Paul Trulove, vice president of products at SailPoint, in an interview.

"The combination of MDM and identity and access management (IAM) is much more powerful, as it can help align policy and establish consistent, centralized access controls across the organization. They can also tie mobile information back to the infrastructure in terms of identity data and making it part of the on-boarding and off-boarding process," he says. "For example, if they do not wipe a person's device once they leave an organization, the organization can potentially be liable and at risk for any data left on a person's device."

Technologies are not the only defense in IT's arsenal. An educated workforce helps reduce the possibility of breaches, Martini says.

"Healthcare professionals can do simple things such as have awareness of actions and their consequences. For example, through training, professionals can be made aware that it's not ok to email a patient record, as the transmission may not be encrypted and the destination may not be HIPPA compliant. They should avoid storing or viewing any patient documents on their personal devices. It doesn't require high tech in order to make a big difference."

Has meeting regulatory requirements gone from high priority to the only priority for healthcare IT? Read Health IT Priorities: No Breathing Room, an InformationWeek Healthcare digital issue.

Alison Diana has written about technology and business for more than 20 years. She was editor, contributors, at Internet Evolution; editor-in-chief of 21st Century IT; and managing editor, sections, at CRN. She has also written for eWeek, Baseline Magazine, Redmond Channel ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
6/5/2014 | 10:44:16 AM
Re: Biometrics is well suited to protect mobile devices
Thanks very much for the information on next-generation biometrics and the usage by patients. This is terrific insight into technology designed to make mobile devices more secure -- definitely much-needed in healthcare (and other verticals, too)! Look forward to learning more. Will be in touch in a few weeks! Thx.
RightPatient
50%
50%
RightPatient,
User Rank: Apprentice
6/5/2014 | 10:40:02 AM
Re: Biometrics is well suited to protect mobile devices
Thanks for the feedback Alison. We have heard of similar incidents where latex gloves make it diffiicult for medical staff to use biometrics however, there are next generation fingerprint readers (both USB external devices and those built in to smart devices) with high technology sophistication that are much more apt to recognize end users, even with latex gloves on. More hospitals seem to be also turning to the use of voice, iris, and facial biometrics for device protection too so it's important to include the fact that fingerprint biometrics are no longer as ubiquitous as they once were.

We also were referring to the use of biometrics to secure identification through a mobile device for patients too, especially in remote conditions when they are attempting to access PHI. More hospitals are looking into using biometric interfaces that allow patients to use their smart device as an authentication tool, either through the camera (facial biometrics, iris) or the microphone (voice). We would be more than happy to offer you someone here to speak with to learn more about this rising trend as part of your research for the piece you are working on. 

Please let me know - jtrader@m2sys.com - is my email address.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
6/4/2014 | 5:27:41 PM
Re: Biometrics is well suited to protect mobile devices
I did think about including biometrics but passed, in part because I plan a larger piece based on my conversations with a few IT execs at hospitals who had mixed results with biometrics. The reason? Those gloves that clinicians have to wear didn't mix well with fingerprint readers. Of course, healthcare employees don't always have gloves on, but they do wear them often and apparently (or at least this was the case with the folk I spoke to) it caused problems. Has this been an issue you've heard of? Or was this something isolated?
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
6/4/2014 | 5:25:07 PM
Re: + the network
Thank you for that terrific additional suggestion. I believe adding wifi was one of the things many practices took to heart when it came to improving their waiting rooms as part of their effort to enhance the whole 'patient experience.' (I guess they figured if they can't/won't cut the wait, they'll at least let you be productive while you sit around!) Prompted by your comment, I realize I've been in a couple of doctors' offices with similar, unsecured setups. My current doctor is covered by the local cable company, which had an all-out effort to provide free coverage throughout the region when a competitor moved in. 
RightPatient
50%
50%
RightPatient,
User Rank: Apprentice
6/4/2014 | 3:12:43 PM
Biometrics is well suited to protect mobile devices
Enjoyed reading this article Alison. The proliferation of apps, BYOD policies and other portals that rely on mobile access certainly has raised the stakes for healthcare facilities to tighten security policies and your coverage is excellent. One point I would like to make though is surprise that the mention of using biometrics to secure mobile devices wasn't featured in the article but passwords were highlighted instead. Reporting on the healthcare security industry as you do, I know you are aware of the bad press that passwords have received recently, and a collective industry cry to develop and implement more secure means of safeguarding mobile devices. Biometrics is certainly a viable alternative both to secure BYOD devices that have biometric ID functionality as well as the use of modalities like voice biometrics to verify patient identities prior to granting access to their PHI or any other type of sensitive information. In fact, hospitals can develop an identity "ecosystem" using biometrics that covers each and every mobile patient touchpoint and share that information throughout their IDN or EMPI to establish air tight identification security and comply with HIPAA laws. Recommending the use of stronger passwords isn't the answer to secure mobile access, the industry needs to move more towards modern ID technology that is more secure and significantly reduces the chances for fraud or ID theft. Passwords just simply aren't the answer.
Susan_Nunziata
50%
50%
Susan_Nunziata,
User Rank: Strategist
6/3/2014 | 7:48:14 PM
+ the network
@Alison: My own experiences at doctor offices in the past year are definitely in line with what the research shows. I'm amazed at how private practices are embracing technology--and also frightened by it. I was waiting at one doctor's office and had my laptop with me, and discovered that the practice's wifi network was wide open. I was able to log on and work while sitting in the waiting room. And this was not a "guest" network. if i had malicious intent, I'm sure it would have been quite easy to gain access to their systems...

So in addition to all of the smart best practices you've listed here, I would strongly add: Secure your network!!

 
Healthcare Data Breaches Cost More Than You Think
Healthcare Data Breaches Cost More Than You Think
Healthcare providers just don't get it. They refuse to see the need to fully secure their protected health information from unauthorized users -- and from authorized users who abuse their access privileges. As a result, they don't allocate enough budgetary resources for securing medical data.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.