Eighty-two percent of hospitals say they aren’t ready for a mobile cyber attack. Between streamlining workflows and having access to sensitive patient data, does the healthcare industry face the greatest mobile security risk?
Concerns around the healthcare industry’s growing adoption of mobile devices and related software:
The benefits and risks are balanced. Increased adoption of mobile devices and related software offers important benefits, such as reducing medical errors and increasing the efficiency of healthcare delivery. For example, electronic prescriptions reduce the opportunity for medication mistakes, while the efficiency of healthcare delivery is enhanced; and through patient “self-service” appointment scheduling, pre-visit checklist data is provided in advance, and calendar reminders reduce no-shows. Efficiency is also increased in the back office by automating benefits determination and processing reimbursements.
Set off against these benefits is the risk that comes with mobile devices and increased software adoption. The risk due to exposure of an individual patient’s personal data is low as it’s not obvious how use of that data can be translated to financial gain. There is risk in mass theft of logon IDs, passwords, social security numbers and the like which can be resold on the “dark web”, but that risk is no different than what every other industry faces and the solutions are probably the same. Of greater risk is the hacking of reimbursement and payment systems, or “ransomware” attacks. However, that is typically not a mobile device issue.
Awareness is one thing — preparedness is another:
While healthcare organizations are highly aware of their responsibilities under HIPAA, their awareness of risk from mobile cyber attacks, is average at best – less than banks and e-commerce organizations. In general, most organizations are woefully unprepared and are not appropriately resourced to protect their information against the risk of hacking.
IT managers in healthcare can enhance their security posture to include mobile devices:
IT managers should consider emulating the technology decisions made by mobile banking applications. These protections include biometric or strong password authentication on the mobile device, local encryption of data, encryption during data transmission, encryption of sensitive data fields when “at rest”, continually updated perimeter protection, and administrative procedures to reduce the risk of data loss from internal sources (employees). There are also newer technologies that provide behavioral profiling, data leakage prevention, intelligent challenge questions, and strong enforcement of transaction protocols. All are likely to become part of the standard suite of protection tools.
Tips for deploying a mobile security strategy:
- Move everything you can to the cloud, contracting with a well-established hosting provider who is contracted to provide extremely robust software updates & security management (Microsoft Azure, Amazon Web Services, and Google Cloud). Likewise, with your mobile apps – engage a mainstream provider who has the resources to maintain the security of the application. Generally, a SMB will not be able to keep up with the volume of patches and updates and it pays to leverage the resources and scale of large cloud & application providers. Even though they are inviting targets for hackers, they are still better protected than you will be working on your own, and hackers will likely move to less-protected targets.
- Encrypt data at rest on the mobile device. That way, even if someone “backdoors” the mobile device, the sensitive fields like SSN are not in clear text.
- Invest in user access control, defining privileges based on job roles. Make sure you have proper segregation of duties, and remove access when a person leaves or changes roles. The concern is that an insider can use his or her authorized access to compromise your data.
- On-device security should include biometric or strong password authentication that authenticates against your back-end. It’s not enough to ensure that the person unlocking the device is the owner of the device if you aren’t also ensuring that the person is still an employee of your healthcare organization and that the employee’s job role hasn’t changed
- Constant training and reinforcement to NEVER click on a link unless you know exactly what it is and how it came to be in front of you. Some organizations conduct audits, sending (safe) spurious emails to a random set of employees and track how many click on the “infected” link they receive. The statistics about click-through rates are terrifying, but taking corrective action can prevent you from being blindly oblivious to the risk.
Chas Hartwig | Strategic Account Executive | TayganPoint Consulting Group | firstname.lastname@example.org