Fewer enterprise technologies are growing more rapidly than mobile health (mHealth) software and devices. Healthcare organizations are investing heavily in their mobile devices and applications, a market that will grow from its current size of $10 billion to $31 billion by the year 2020, according to market research firm Research 2 Guidance. Healthcare organizations hope that mHealth will enable their front-line providers to have the access to the information they need wherever they may need it.
Criminals have also taken notice. A quick search of the Privacy Rights Clearinghouse data breach database finds that since 2005 there have been 1,889 healthcare data breaches that have been made public consisting of 421,885,347 medical records exposed. Ponemon Institute’s Annual Benchmark Study on Privacy & Security of Healthcare Data estimates that criminal attacks aimed at healthcare data have risen 125% since 2010.
When it comes to security, mHealth poses some unique challenges. Many medical devices and apps can’t be patched as swiftly as traditional enterprise systems because device certifications forbid it, clinical environments are chaotic, and many clinical environments are understaffed when it comes to security and IT.
“This is a big problem because the healthcare industry today isn’t even good at securing traditional environments. There’s the potential for security and privacy lapses when the healthcare records move between different providers,” says Amrit Williams, CTO at CloudPassage. “That breaks the chain of trust. You could have service providers with access using different forms of transporting and encrypting the data. The data may be stored locally, which increases the potential for compromise if the device is lost or stolen."
Ciaran Bradley, chief product officer at AdaptiveMobile
“People don't think of hospital equipment as being a source of security issues, but with many of these devices having mobile capabilities and storing data (part of the healthcare Internet of Things), the potential for hacking is great,” says Ciaran Bradley, chief product officer at mobile network security firm AdaptiveMobile. “Many of these devices have only the basics in security - such as password protection or firmware that may or may not have regular updates, leaving diagnostic and other data at risk."
The U.S. Food and Drug Administration has taken notice of the weak security in clinical devices, and late last month published draft cybersecurity guidance that is directed at medical device manufacturers and how they can better assess and respond to security related device flaws.
Beau Adkins, co-founder and CTO at Light Point Security, says healthcare environments are also facing many of the security hurdles other types of enterprises' face when trying to secure mainstream mobile devices, including relatively immature mobile operating systems when it comes to enterprise device management and security capabilities. “Security was not at the top of the list of priorities. Stock Android devices are notorious for coming bundled with what basically amounts to spyware,” Adkins says.
There are mitigations of course, Adkins points out, many of which are detailed in depth in this NIST Special Publication 1800-1b Securing Electronic Health Records on Mobile Devices, which stresses detailed risk assessment and appropriate security controls to mitigate risk in these environments.
It’s not as if healthcare organizations haven’t tried to keep their networks and mobile apps secure. They have. It’s just that many didn’t go about it well – at least not initially.
Gary Sheehan, chief security officer at technology and security services provider ASMGi, explains most healthcare organizations tried to keep data safe by instituting restrictive use policies. But that’s changing, Sheehan says, as advanced hospitals and health care providers are now embracing innovation, and are relying more on secured and encrypted environments on cloud and mobile platforms to do so. “There’s a lot to think about to keep everything secure and a healthcare environment compliant, but we’ve seen more and more organizations find it is worth the effort,” Sheehan says.
“The key to creating a successful, secure environment is to build a system that allows doctors and nurses to continue doing exactly what they want to do – just to put the right tools in place to help them do it the right way,” Sheehan says. “Hospitals and organizations can install layers of security into mobile devices, securely use cloud services and track data access usage. The real challenge is making sure the apps used on the phone and within the cloud are both secure and easy to use. Ease of use is critical. If it’s not convenient, people will naturally look to find an easier way or they simply won’t use the technology."
Tom Davis, CTO at LANDESK, advises healthcare IT teams what he things they need to do, such as ensuring mobile devices are hardened, that software is patched and up to date, that an accurate enterprise inventory of assets is in place. Davis says that it’s especially important that healthcare organizations centrally manage data and not allow data to be downloaded onto endpoints. In addition, healthcare providers need to remember to continuously educate their employees when it comes to secure mobility and encourage swift data breach notification.
“With data on them, when a loss happens or if someone had unauthorized access, it's best to be informed quickly by the users without penalty to them or fear of action against them. Create the right privacy responsibilities with your mobile employees to lessen the time to notify,” he says.
“The model to move to is to store the data in the cloud where it is encrypted and secure until the mobile app accesses it and not stored locally at all,” says Williams.
Sounds simple, but that doesn’t mean it’s easy. And if recent history of healthcare breaches are any indication, it’s going to take some time to mitigate the risk of there continuing to be a great many healthcare breaches.