- As mobile devices become a growing presence in the healthcare industry, it is important to identify simple steps and best practices to ensure cybersecurity.
These steps in protecting mobile devices in the healthcare field can even be adopted from other walks of life.
In a throwback to years past, a U.S. Forest Service document from 1946 outlines what one should do when lost in the forest.
The document advises unfortunate lost individuals to take five simple steps to maximize their chances of survival:
- Stop, sit down and try to figure out where you are. Use your head, not your legs.
- If caught by night, fog, or a storm, stop at once and make camp in a sheltered spot. Build a fire in a safe place. Gather plenty of dry wood.
- Don't wander about. Travel only downhill.
- If injured, choose a clear spot on a promontory and make a signal smoke.
- Don't yell, don't run, don't worry, and above all, don't quit.
Many of these steps apply to mobile device security in healthcare today. A few key themes that emerge both from the USFS guidelines and modern mobile device imperatives are: (1) Know where you are; (2) Sensibly and rationally assess your situation; (3) Gather as much information and shelter as possible; (4) Refrain from creating additional risk. Becoming lost in the woods and suffering a mobile device breach are both largely preventable, and there are several basic measures that will ensure the greatest chance of reducing harm.
Although hacking incidents have taken the stage as major culprits in healthcare breaches, lost and stolen devices are still responsible for the lion’s share of security incidents. According to a 2014 study by Bitglass, a market research firm, 68 percent of healthcare data breaches since 2010 were due to lost or stolen devices or files, with 23 percent due to hacking. This trend continues partly because medical devices, including tablets, smartphones, and removable devices have become prominent areas of vulnerability due to the growth of bring-your-own device (BYOD) programs and the growth of the Internet of Things. And in a recent study from the Ponemon Institute, negligent insiders were the greatest source of endpoint risk within many organizations. These factors make mobile devices one of the primary areas of security compromise within healthcare enterprises. These vulnerability gaps are also some of the most difficult to close, even once the threat has been identified.
And although negligent insiders are a primary point of risk, a June 2015 HIIMSS cybersecurity survey of 297 IT leaders found that “64 percent of respondents noted an incident at their organizations by an external actor, such as an online scam artist, hacker, or through social engineering.” The study also noted that 20 percent of these security incidents "ultimately resulted in the loss of patient, financial or operational data.” External and internal threats are both concerns with which security leaders must contend, and underscore the idea that security programs must address security from all angles.
Simply adding technology will not fully address the magnitude of the risk from mobile devices. Just as having the latest and greatest Swiss Army Knife will not help you in the wilderness if you are lost; implementing the latest encryption technologies will not prevent all cyber-attacks if you don’t have strong security policies and employees with the knowledge and incentives to use them. Phishing attacks and other compromises can only succeed if employees are duped by them. And most healthcare organizations do not have a solid mobile app use policy in place, nor have they trained employees to recognize cyber threats and respond appropriately.
Mobile devices and intelligent devices (Internet of Things) are in continual operation in many healthcare organizations, complicating the ability to diagnose and resolve issues. This complexity is exacerbated by the fact that in many cases, manufacturers or software vendors are the only entities capable of resolving security deficits as they arise. The companies who develop mobile applications often don’t provide sufficient security measures in their products, leaving healthcare providers to fend for themselves in the wilderness of cybersecurity threats.
In a recent study by The Ponemon Institute, 50 percent of mobile application development companies were found to allocate no budget for implementing security measures into the mobile applications they provide. As a result, following the detection of a compromise within a device, remediation will most often be difficult due to the inability of the cybersecurity analyst to access the internal software of the device to determine the exact variant of malware used, which is necessary to develop a remediation plan.
The takeaway here is that, although technology can enable protections that support prevention, identification, and remediation of mobile threats, continued attention needs to be focused on basic measures to prevent threats both from within, and outside organizations.
To return the analogy of wilderness survival, these are fundamental steps that healthcare organizations should take to ensure optimal security:
- Know where you are: Complete a risk analysis that includes mobile devices, and know which devices have encryption enabled, and which don’t. Stay abreast of emerging threats.
- Sensibly and rationally assess your situation: Healthcare organizations need to measure the operational maturity of their security programs. They must balance the user expectations of anytime, anywhere access to patient records and a user-friendly mobile experience with the need to secure their users’ mobile moments.
- Gather as much information and shelter as possible: Have a remediation and incident response plan in place, and implement authorization and identity management to ensure that only authorized individuals have access to sensitive ePHI and financial data. Track and monitor data event logs if possible.
- Refrain from creating additional risk: Minimize risks with pre-emptive measures such as regular anti-virus or device scans when connecting new devices to the network, which may reduce the need for complex technology. Enable automatic encryption for devices that connect to sensitive data.
- Don't yell, don't run, don't worry and above all, don't quit: Though not specific to security, this seems like good advice for many challenging situations.
The average hospital is now teeming with internet-connected systems, including medical devices connected to EHR. This has created an interconnected community in which context-aware security measures are critical to patient safety and preservation of sensitive data, much of which is highly valued on the black market. By paying attention to core security measures such as encryption, identity management, risk analyses, employee empowerment and incident response plans, organizations can begin to protect themselves in the wilderness of cybersecurity threats.
Keith Tyson is a security consultant with Dell Healthcare and Life Sciences.