[BreachExchange] Mobile security in hospitals: A piece of the improved outcomes puzzle

[Audrey McNeil]

http://www.beckershospitalreview.com/healthcare-information-
technology/mobile-security-in-hospitals-a-piece-of-the-
improved-outcomes-puzzle.html

Current State of Security in Healthcare

As much as healthcare continues to evolve, what has always been and will
continue to be at the core of the industry is the effort to deliver the
best possible patient outcomes. The proliferation of computers offered
standardization and efficiency, but had the unfortunate side effect of
requiring caregivers to spend time behind keyboards instead of with
patients. Today it is no longer necessary to make that compromise, largely
due to the use of mobile devices. While trends like "computers on wheels"
attempted to reconcile the requirements of increasing digitization with the
fundamental need for caregivers to be near their patients, the carts were
clumsy, not especially maneuverable, and—under the best of
circumstances—irritate patients or—at worst—intimidate them. On the other
hand, mobile devices combine impressive computing power and modern user
interfaces with portability and unobtrusiveness.

The downside? If mobile devices are inadequately secured and managed, they
can create enormous exposure. According to our recent Mobile Risk and
Security Review (MSRR), 53 percent of healthcare organizations reported
missing devices in 2016, and 17 percent of healthcare organizations had
compromised devices accessing corporate data – a rate higher than in the
government or financial services industry. These stats are indicative of
risks that could result in data breaches, as well as violations of
regulations like HIPAA. Additionally, 82 percent of healthcare
organizations have 10 or more third party apps installed, creating even
more avenues for potential attackers.

Challenges Hospitals are facing

As technology has evolved and become more mobile, the traditional network
perimeter has deteriorated: data has become more distributed and it
persists in more places. When information is more portable it can get
outside the organization in unexpected ways. Of course, this is true in any
industry, but because of the regulatory requirements and the elevated
sensitivity around health information, the stakes are higher.

Another huge challenge to maintaining security within a hospital is
different types of workers: while many people may be direct employees of
the hospital or health system, some may be considered independent
contractors. For example, nurses and administrative personnel may be
employed directly but doctors and anesthesiologists may be employed by
other corporate entities so the relationship is closer to "subcontractors."
This means that healthcare organizations must be mindful of how to grant
secure access to sensitive data on devices that don't belong to the
organization or its direct employees.

New tech brings new hope
Most mobile devices began as purely consumer technology and—despite their
fairly wide adoption in work settings—the tools to provide adequate
security controls took a while to mature. Once upon a time, Apple iOS
devices had to be physically tethered to Mac computers to enable advanced
security controls (through a process known as Supervision) and only a
handful of Android devices offered a true "enterprise persona." Because of
complexity or cost, many organizations would simply forego the additional
capabilities. With the tools like the Apple Device Enrollment Program (DEP)
or Android Enterprise Device Owner Mode (DOM), organizations can now
harness extra security capabilities in a way that is both easier for IT
departments and mostly transparent for end users. This ensures that
policies are being applied universally without bugging each doctor, nurse
and administrative professional to update his or her device – resulting in
even more time for patient interaction.

How to overcome challenges
One of the simplest and most crucial things hospitals (or any
mobile-device-using organization) can do is enforce OS patching – according
to the MSRR, in 2016 only nine percent of companies in the U.S. were doing
this, yet it is the easiest preventive care businesses can do. OS patching
pays big dividends, and the turn time on mobile OS updates is shorter than
ever before.

As always, businesses must be diligent while implementing policies as they
would with any software, but need to update what this process looks like
for the mobile world. A big part of this is ensuring the applications going
onto these devices are secure by scanning the application source code.
There are automated tools that can help with this process to ensure
businesses have implemented security measures and streamlined their vetting
process. These tools will eliminate the risk of having an enterprise app
that accesses patient healthcare data without the proper security measures
in place.

It is also critical to invest in educating your workforce about proper
security measures. Many health systems view security as an IT problem, but
the onus is on each line of business to ensure they're engaging in proper
security measures. A remote security management tool is great for managing
system updates and monitoring, but without organization-wide education, not
even the greatest CISO can stop employees from downloading an unnecessary
and compromising application, or clicking on a phishing email.

Looking ahead
While the initial HIPPA regulations didn't provide much in the way of
penalties, the HITECH Act passed in 2009 gave the original legislation some
new teeth with regard to security and privacy of patient data. Last year,
the California Data Breach Report outlined minimum standards of due care
with regard to the privacy protections for consumer data. Next year, the
General Data Protection Regulation (GDPR) will be implemented in the
European Union, which punishes any company after its second offense of
compromising customer records or jeopardizing customer privacy – with a
fine of 20MM euros or four percent of the organization's revenue -
whichever is higher. Though laws and regulations have been slow to keep
pace with technology, it appears that a regulatory makeover may be gaining
momentum and organizations must be prepared to address more stringent
requirements or risk increasingly severe penalties as privacy and security
receive more focus.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170411/f0927c85/attachment.html>