Securing Mobile Healthcare Devices: Best Practices - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Healthcare // Security & Privacy
10:46 AM
Connect Directly

Securing Mobile Healthcare Devices: Best Practices

By combining technology, best practices, and education, IT departments can safeguard even the most mobile healthcare departments.

10 Medical Practice Management Systems For 2014
10 Medical Practice Management Systems For 2014
(Click image for larger view and slideshow.)

Insecurities lurk beneath the surface of the fast-growing world of mobile healthcare, putting data at risk. But organizations can protect patient data by implementing a mix of technologies and best practices.

The practice of using mobile devices in healthcare is growing. More than half -- 51% -- of physicians use tablets for professional purposes and 74% use smartphones at work. The mobile monitoring and diagnostic medical devices market will reach $8.03 billion by 2019, compared with a mere $0.65 billion in 2013, according to Transparency Market Research. This year alone 90 million wearable health devices will ship, reported ABI Research

Add in the growing number of patients who access their records electronically, the doctors' offices that schedule appointments via text or app, and the offices that wirelessly share data, and the message is clear: Mobile must be secure and HIPAA-compliant. That is not, however, always the case.

[Understand the impact: How Mobile Devices Reshape Patient Care.]

"The sheer number of people and devices with access to health information expands, making it much more complex for organizations to create mobile policies, manage data leakage controls, and conduct regulatory analysis," says Mike Raggo, security evangelist at MobileIron, in an interview. "Mobile devices are ubiquitous in healthcare organizations, supporting part-time physicians and nurses working shifts that share devices. The plethora of health information accessible on these devices makes protecting against data loss challenging."

There are, however, steps healthcare organizations can take to decrease the possibility of data loss, which typically occurs when a device itself is lost or stolen, when rogue apps siphon off data, or when an employee undertakes well-intentioned but risky actions, such as sharing files through public cloud services, he says.

(Image: PurplesLog/Flickr)
(Image: PurplesLog/Flickr)

Enterprise mobile management best practices include:

  • Managing all devices, as well as constantly maintaining security settings and configurations.
  • Enabling remote lock and wipe, so unauthorized users (such as ex-employees) are easily removed from the system.
  • Full device or app-by-app encryption that's monitored and enforced.
  • Enforcement of device-level passwords.
  • Monitoring the operating system's integrity to avoid usage of compromised versions.
  • Implementing an auto-wipe policy to minimize the risk of attacks via lost or stolen devices.
  • Secure email and attachments to prevent malware being spread from personal accounts.
  • Protecting application data by encrypting app data for operating systems such as Android or deleting app data if a device is non-compliant.
  • Prevent untrusted file-sharing apps from accessing secure documents.
  • Log devices and actions for audit.

"Recent attacks on data have certainly reinforced the need for a new generation of data security approaches. Healthcare CIOs who focus on risk mitigation through user enablement will become more prominent in the C-suite. Those that focus on risk mitigation through restriction will lose power," Raggo says. "The former understand that security is about behavior and they reward the right behavior. The latter inevitably encourage the wrong behavior and damage both their credibility in the C-suite and the security posture of the 'mobile first' organization."

In addition to best practices and technologies that address encryption, passwords, and other traditional security measures, mobile device management plays an important role in safeguarding compliance, Paul Martini, CEO and co-founder of iboss Security Network, tells InformationWeek. MDM sales are expected to reach $3.94 billion by 2019, versus $1.01 last year, Markets and Markets estimated. The expense, which has prevented some organizations from adopting the technology, is easing -- more developers are in the market -- and the cost of being non-compliant is too high for healthcare facilities.

"[MDM] solutions allow an organization to get a handle on mobile devices by providing tools for grouping devices, forcing device passwords, forcing storage encryption, and wiping devices if they become lost or stolen," says Martini. "In addition, healthcare organizations should implement a BYOD policy for devices not belonging to the organization. A combination of technology and training is required to maintain a HIPPA compliant environment."

Mobile security requires a multi-pronged approach, says Paul Trulove, vice president of products at SailPoint, in an interview.

"The combination of MDM and identity and access management (IAM) is much more powerful, as it can help align policy and establish consistent, centralized access controls across the organization. They can also tie mobile information back to the infrastructure in terms of identity data and making it part of the on-boarding and off-boarding process," he says. "For example, if they do not wipe a person's device once they leave an organization, the organization can potentially be liable and at risk for any data left on a person's device."

Technologies are not the only defense in IT's arsenal. An educated workforce helps reduce the possibility of breaches, Martini says.

"Healthcare professionals can do simple things such as have awareness of actions and their consequences. For example, through training, professionals can be made aware that it's not ok to email a patient record, as the transmission may not be encrypted and the destination may not be HIPPA compliant. They should avoid storing or viewing any patient documents on their personal devices. It doesn't require high tech in order to make a big difference."

Has meeting regulatory requirements gone from high priority to the only priority for healthcare IT? Read Health IT Priorities: No Breathing Room, an InformationWeek Healthcare digital issue.

Alison Diana is an experienced technology, business and broadband editor and reporter. She has covered topics from artificial intelligence and smart homes to satellites and fiber optic cable, diversity and bullying in the workplace to measuring ROI and customer experience. An ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Strategist
6/3/2014 | 7:48:14 PM
+ the network
@Alison: My own experiences at doctor offices in the past year are definitely in line with what the research shows. I'm amazed at how private practices are embracing technology--and also frightened by it. I was waiting at one doctor's office and had my laptop with me, and discovered that the practice's wifi network was wide open. I was able to log on and work while sitting in the waiting room. And this was not a "guest" network. if i had malicious intent, I'm sure it would have been quite easy to gain access to their systems...

So in addition to all of the smart best practices you've listed here, I would strongly add: Secure your network!!

User Rank: Author
6/4/2014 | 5:25:07 PM
Re: + the network
Thank you for that terrific additional suggestion. I believe adding wifi was one of the things many practices took to heart when it came to improving their waiting rooms as part of their effort to enhance the whole 'patient experience.' (I guess they figured if they can't/won't cut the wait, they'll at least let you be productive while you sit around!) Prompted by your comment, I realize I've been in a couple of doctors' offices with similar, unsecured setups. My current doctor is covered by the local cable company, which had an all-out effort to provide free coverage throughout the region when a competitor moved in. 
User Rank: Author
6/4/2014 | 5:27:41 PM
Re: Biometrics is well suited to protect mobile devices
I did think about including biometrics but passed, in part because I plan a larger piece based on my conversations with a few IT execs at hospitals who had mixed results with biometrics. The reason? Those gloves that clinicians have to wear didn't mix well with fingerprint readers. Of course, healthcare employees don't always have gloves on, but they do wear them often and apparently (or at least this was the case with the folk I spoke to) it caused problems. Has this been an issue you've heard of? Or was this something isolated?
User Rank: Author
6/5/2014 | 10:44:16 AM
Re: Biometrics is well suited to protect mobile devices
Thanks very much for the information on next-generation biometrics and the usage by patients. This is terrific insight into technology designed to make mobile devices more secure -- definitely much-needed in healthcare (and other verticals, too)! Look forward to learning more. Will be in touch in a few weeks! Thx.
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

How CIO Roles Will Change: The Future of Work
Jessica Davis, Senior Editor, Enterprise Apps,  7/1/2021
A Strategy to Aid Underserved Communities and Fill Tech Jobs
Joao-Pierre S. Ruth, Senior Writer,  7/9/2021
10 Ways AI and ML Are Evolving
Lisa Morgan, Freelance Writer,  6/28/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Flash Poll