- A recent Department of Homeland Security (DHS) report on improving the federal government’s approach to mobile device security could also have potential impact on healthcare’s mobile approach.
The report is based off of a study conducted in coordination with NIST and its National Cybersecurity Center of Excellence (NCCoE).
Mobile device threats exist across numerous platforms (i.e. smartphones, tablets), and require a different security approach “because mobile devices are exposed to a distinct set of threats, frequently operate outside of enterprise protections and have evolved independently of desktop architectures,” according to DHS.
“Systems managed by the Department of Defense (DoD), DHS, the Department of the Treasury, the Department of Veterans Affairs, Health and Human Services, the Office of Personnel Management, and others hold significant amounts of sensitive but unclassed information, whose compromise could adversely impact the organization’s operations, assets, or individuals,” the study’s executive summary explains.
“Additionally, databases controlled by these organizations hold tremendous amounts of personally identifiable information (PII) that could potentially be used to compromise citizen financial wellbeing, privacy, or identity.”
The study also noted that DHS has no legal authority to require mobile carriers to assess risks relating to mobile network infrastructure security because it affects the government’s mobile device usage.
Furthermore, DHS explained that while it “has the authority to evaluate voluntarily provided mobile carrier network information, DHS has no legal authority to compel mobile carrier network owners/operators to provide information to assess the security of these critical communications network.”
Adopting a mobile device security framework that is based on existing standards and best practices was one of the recommendations from DHS on how to improve the nation’s approach to mobile.
Enhancing Federal Information Security Modernization Act (FISMA) metrics to focus on securing mobile devices, applications and network infrastructure was also suggested.
Mobility within the Continuous Diagnostics and Mitigation program should also mobile device security, along with application security for those “with capabilities that are on par with other network devices (e.g., workstations and servers).”
The following recommendations were also put forth in the mobile security report:
- Continue the DHS S&T applied research program in Mobile Application Security to enable the secure use of mobile applications for government use.
- Establish a new program in mobile threat information sharing to address mobile malware and vulnerabilities, including ways to handle Common Vulnerabilities and Exposures generation.
- Coordinate the adoption and advancement of mobile security technologies into operational programs to ensure that future capabilities include protection and defense against mobile threats.
- Develop cooperative arrangements and capabilities with mobile network operators to detect, protect against, and respond to threats (e.g., SS7/Diameter vulnerabilities, rogue IMSI catchers) and, if necessary, extend the legal authorities of the DHS National Protection and Programs Directorate to achieve these objectives.
- Create a new defensive security research program to address vulnerabilities in mobile network infrastructure and increase security and resilience.
The government should also increase its participation in key mobile-related standards bodies and industry associations, while also developing its policies and procedures for mobile device use overseas.
“The development of a new DHS applied research and development program to secure mobile network infrastructure and address current and emerging challenges impeding mobile technology,” should also be initiated, the report’s authors stated.
“To foster mobile threat information sharing, DHS should develop a new program in advanced defensive security tools and methods for addressing mobile malware and vulnerabilities that spans applied research through operations, including new ways to handle Common Vulnerabilities and Exposures (CVE) generation for mobile,” the report continued.
Earlier this year, the Government Accountability Office (GAO) pushed DHS to continue its efforts on improving federal cybersecurity measures. This included DHS utilizing the National Cybersecurity Protection System (NCPS).
“Computer networks and systems used by federal agencies are often riddled with security vulnerabilities—both known and unknown,” GAO explained in its report. “These systems are often interconnected with other internal and external systems and networks, including the Internet, thereby increasing the number of avenues of attack and expanding their attack surface.”
NCPS provides the capability to detect and prevent potentially malicious network traffic from entering agency networks, which is why DHS should continue to work on it, GAO noted.
“To enhance the functionality of NCPS, we made six recommendations to DHS, which if implemented, could help the agency to expand the capability of NCPS to detect cyber intrusions, notify customers of potential incidents, and track the quality, efficiency, and accuracy of supporting actions related to detecting and preventing intrusions, providing analytic services, and sharing cyber-related information.”