Chief Security Architect Ellumen, Inc. USA.
Mobility is having an impact on consumer and business markets at a much faster pace than the introduction of the World Wide Web. There is a surge in the proliferation of mobile devices and platforms and it is changing how people share and access information in today’s always-on, connected world. In lockstep, mobility is intersecting with cloud computing services and cloud-based technologies, such as location, search, communications and social capabilities that make apps stickier and more interactive for end-users. Moreover, mobile devices present an opportunity for apps to harness rich, frontend native capabilities, as well as backend corporate and third party data for a new wave of next generation mobile apps that are much more intuitive and engaging. The mobile arena is a hot and rapidly changing market not just having an impact on the consumer lifestyle, but increased consumption of mobile technologies is starting to reshape the enterprise.
The number of new platforms and form factors infiltrating enterprises is staggering. By 2015, there will be one mobile phone for every person on earth, according to Google. Tablets and smartphones are the most prevalent, and nowhere is that becoming more noticeable than in the healthcare industry. Mobile devices have shown to lower costs and improve quality of patient care. In the USA in particular, new call for a Nationwide Health Information Network (NwHIN) and virtual lifetime electronic medical record (VLER) for all military members from active duty through retirement, including civilian family members. The Obama Administration is offering incentives upwards of US$ 20 bn in federal stimulus funds to boost adoption of new health technology programs. Both government and private healthcare organisations in the USA are being challenged by the wave of mobile devices being integrated into their workflow and ensuring that sensitive, personal medical data is kept private and secure.
At the same time, healthcare organisations are facing budget cuts and mobile technologies and devices, such as laptops, tablets and SaaS-based (software-as-a-service) apps, offer a more affordable and scalable alternative than upgrading legacy PC and desktop workstations.
Healthcare organisations are looking at how they can build a mobile strategy to keep up with the proliferation of devices and apps and also another phenomena: BYOD, or bring your own device. Employees are increasingly hooking into corporate networks and other enterprise information resources from their own mobile devices, often in an unsecured manner and without IT knowing. Should health enterprises support BYOD as part of its overall mobile strategy? Accounting for employee-owned devices might help health IT to go through this wave coming in, rather than try to stop it.
What are the steps and considerations to secure mobile devices whether employer- or employee-owned? Are there separate precautions for patient owned devices that connect to hospital networks or the apps, for example, downloaded over its network? In addition to securing mobile devices, the nature of healthcare environments bring on increased challenges around ensuring the privacy of the information stored on smartphones, tablets, ultrabooks, etc.
This article will address these questions, as well as other key considerations for health IT to securely scale an enterprise mobility strategy to improve patient care, while making it easier for employees to get work done.
It is most important for organisations to develop a policy around the management strategy of these devices, including support for the multitude of mobile device types, management tools or services, procedures for obtaining mobile devices, downloading applications and using subscription services. A level of effort required by support staff, service desk staff, and administrators to support these devices and the applications necessary to provide access to the data should also be considered.
One major issue facing healthcare organisations is whether to permit storage of sensitive information on corporate or personal mobile devices. There are two options. One to consider is to allow “view only access” from mobile devices. This essentially means users are not allowed to store data at all on their mobile devices. A strong reason to consider not having local storage is that recent reports say less than 20 per cent of organisations have any management control over employee-owned devices. Moreover, more than 25 per cent of organisations have no control at all over their use.
If storage is an option, then encryption must be seriously considered as an additional requirement. There are grave legal issues should a loss of the device occur and they have been well documented in the media. Precautions need to be taken to minimize a healthcare organisation’s risks where sensitive patient data is involved. If the decision to encrypt data has been made, the issue may arise that some devices cannot accommodate full disk-level encryption. Many organisations are allowing only applications and devices that permit at least some level of encryption, as well as devices that permit the use of software applications that provide the ability for the organisation to conduct a remote-wipe of any organisational (or all data) if there is loss of a device.
Password protection is another common security feature, but in addition, healthcare organisations should require all mobile devices or have an additional form of access control in place. This can be a PIN, pattern, software application, or biometric setting. The intent of these measures is to ensure security of the device, not authentication per se, to the network or applications used by the organisation. An added measure would include the ability to lock the device after a set number of failed login attempts. If a device is lost and found, it could be configured to show the owner’s contact information without being required to login. This could help someone return a device to their rightful owners, while also preventing unnecessary remote wipes.
An alternative would be to integrate a service that enables remote wipe of the device, in the event a mobile device is lost or stolen, or an employee quits and does not return the device. Remote-wipe capabilities permit management to delete data from lost or stolen devices, adding an extra layer of risk mitigation. For remote wipe to work, however, a device must be registered through the manufacturer’s website or through third party security apps before it becomes lost or stolen. Once the device is lost or stolen, it is too late to register the device-and thus it could be too late to save the data.
An important limitation to consider is that the mobile device’s SIM card could be removed or replaced. Therefore, this is not necessarily a control that can always be relied upon. It may still be possible for unauthorised users to gain access to unencrypted data.
There are strategies to encrypt sensitive data on mobile devices, whether employee or organisationally owned. Only after entering the right PIN, pattern or password will the person using the device be able to access data. The encrypting of data locally should be mandatory to allow the organisation to meet regulatory requirements. This includes for example in the USA requirements such as HIPAA, Sarbanes-Oxley, and other legal requirements. Internationally such standards as IEC 80001, Guidance for the Communication of Medical Device Security Needs, Risks and Controls is another example.
Education and awareness training is key to ensuring users understand the organisation’s mobile device security policy. This should not be specific to only organisation-approved devices, but also include employee-owned mobile devices -- also taking into account any overlap for how a device is used. Training should address legal requirements, requirements for the use of encryption (when applicable), allowable backup procedures, reporting of missing devices, clearing data from devices no longer in use, and how to use anti-malware software.
The concerns related to transitioning to an environment where mobile devices are ubiquitous are real and happening now. It is important for healthcare organisations to understand and mitigate these risks early on, and they can start by developing a list of minimum requirements associated with their corporate mobile strategy.
Mobility is the way of the future for business and healthcare is no exception. It is important for an organisation to remain agile as new mobile platforms and form factors continue to proliferate and penetrate corporate walls. It is important for health IT professionals to acknowledge and embrace these devices to maintain a competitive advantage for their overall workforce and patient communities.
For a healthcare organisation, it is important to take into account several baseline steps a when considering the use mobile devices on their networks. Accommodating employee-owned devices is becoming a fact of life. Information security professionals need to design measures to minimise the risks involved in enabling staff members to use personally owned tablets, smartphones, and other mobile devices for business purposes, such as:
A key benefit for organisations to support mobile devices is that employees are able to work from anywhere at any time. But there are several risks with permitting employees to use personal mobile devices. For example, smartphones are easily misplaced and tablets stolen, which can make any data stored on them vulnerable. Asurion, a leading electronics insurance agency, reports that over 56 per cent of users report losing or misplacing their phones for short periods of time each month. Notably, over half of all devices are reported to contain some company information. There is a risk when an employee quits or is fired. What happens if there is any sensitive corporate information stored on that person’s mobile device? A health organisation must require security controls such as data encryption, and in this particular scenario remote-wipe capability.
Inevitably mobile devices are becoming prevalent in healthcare settings. It is common for users to use their mobile devices for both personal and business purposes. When a user stores personal information, photos, etc. on their mobile device, it creates a more profound sense for them to want to protect the device and the information contained on it. With proper training, an organisation can help their users fully understand the requirements and rules set forth with using mobile devices for any work related purposes. This could include training on incident reporting, reporting of lost devices, how to properly back up personal information (music, photos, etc.), actions related to conducting a remote wipe due to a lost device, and general training on application use, encryption, malware software and related topics. Organisations must hold employees accountable for their actions; therefore, it is good practice for the organisation to consider possible actions that will occur, and consequences and remediation (or mitigation) steps during the risk assessment process.
There are also important legal precautions associated with financial risks, as well as in the critical event of a security breach of patient and organisational data that need to be accounted for. The organisation should have a legal agreement in place that users are required to sign. The document can outline and provision that personal devices used for any work related purposes are used in compliance with the rules set forth by the organisation, and are eligible for the organisation to access and review data at any given request. A clause can be worked up to say that any organisational data can be wiped off the device at management’s discretion. The organisation must develop this document and require users to agree before granting access to data by the device. This will underscore transparency across the enterprise and that the rules apply to all levels of the organisation.
For any mobile device brought or used within the walls of the healthcare enterprise, specific security controls must be in place. For example, an organisation can require that employees implement unique and strong password controls, including required characteristics (i.e. number and types of characters) and passwords that expire and periodically are required to be reset. The organisation can also record password history to prevent reuse of prior passwords.
Other minimum security controls recommended are:
Dennis M Seymour has more than 15 years experience in federal healthcare security. He is a member of the HIMSS Privacy & Security Steering Committee, HIMSS Mobile Device Security Work Group, the Medical Device Security Task Force and the Risk Assessment Work Group.