- With more smartphones and tablets being used in the workplace, it’s increasingly important for employees to understand the risks associated with third-party mobile applications. The healthcare industry must be especially careful, as using a mobile application incorrectly – or using an unsecure app – could result in exposure of sensitive patient information.
Patient records must remain confidential, or providers run the risk of violating the HIPAA Security Rule and dealing with the consequences that follow. Organizations must understand what applications users are downloading and how protected information is being accessed and shared outside of the corporate network. Even if it’s done inadvertently, an unsecure mobile app could result in the exposure of data.
That was why the National Institute for Standards and Technology (NIST) proposed a set of mobile app security guidelines, designed to help organizations vet third-party mobile applications. Computer security specialists recommended ways for entities to leverage the benefits of mobile apps while managing their risks. The public comment period for the guidelines was August 18, 2014 through September 18, 2014.
HealthITSecurity.com gathered a few major takeaways that healthcare organizations should keep in mind to keep all of their information secure.
Create a vetting process
One of the major points in the NIST recommendations is for organizations to implement a vetting process for all mobile applications.
“New technologies may offer the promise of productivity gains and new capabilities, but if these new technologies present new risks, the organization’s IT professionals and users should be fully aware of these new risks and develop plans to mitigate them or be fully informed before accepting the consequences of them,” the proposal said. “Organizations should develop mobile app testing requirements to ensure that mobile apps comply with their organization’s policies.”
Moreover, organizations should not assume that an app has been properly vetted simply because it is available in an official app store. It is also important to note that a mobile app vetting process is an opportunity to improve the organization’s security capabilities rather than just perpetuate them. A healthcare agency should find tools and methodologies that are able to identify security, privacy, reliability, functionality, accessibility and performance issues.
It is also important for all users and stakeholders to be aware of the mobile app vetting process, and what it does and does not provide in terms of secure behavior.
Understand the risks
When searching for beneficial mobile apps, an organization must understand the security and privacy risks they present, while also having a strategy in place to mitigate them.
“As with any software assurance process, there is no guarantee that even the most thorough vetting processes will uncover all potential vulnerabilities,” NIST explained. “Stakeholders should be made aware that although app security assessments should generally improve the security posture of an organization, the degree to which it does so may not be easily or immediately ascertained. Stakeholders should be made aware of what the vetting process does and does not provide in terms of security.”
Essentially, organizations need to understand what their mobile computing environment is and how employees are expected to work in it. For example, do wireless devices carried by personnel connect to public providers, a communication infrastructure, or both at different times?
Additionally, it is important to consider the critical assets located on mobile devices and if mobile devices will be used as a springboard to attack those assets.
Training and review
All employees should undergo a thorough security and privacy training process. Regardless of position, each employee needs to understand which apps are secure and which are questionable. A security breach could occur at any level, and employees need to understand the best ways to keep their devices secure.
Moreover, mobile app testing results should be reviewed in the context of their agencies’ mission objectives, security posture and risk tolerance. Mobile apps are part of a larger system, and as such, they need to be tested to see how they impact an organization as a whole.