With so many recent data breaches in the healthcare industry, senior managers are looking for advice on how best to secure protected health Information (PHI). Many busy health professionals are using mobile devices while at work and during their leisure time. Hence mobile security has become a key issue for IT departments as they look to protect sensitive medical information from unwelcome eyes.
Gone are the days of filing cabinets holding patients’ paper records. Today, most patients would rather email their doctors than call them. And healthcare providers are increasingly using smartphones and tablets to perform routine tasks such as accessing medical records, communicating with insurance providers and submitting prescriptions.
Given the recent data breaches that have plagued the healthcare industry — many through human error — The National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) has released a draft guide to help CIOs, CISOs and security managers improve security for mobile devices and to mitigate risks.
The guide addresses issues such as:
- A healthcare worker might lose or misplace a mobile device containing private health information, or be a victim of exploitation or theft.
- Compromised mobile devices enable hackers to access the healthcare organization’s network.
- Untrusted networks use a man-in-the-middle strategy to obtain credentials to access the enterprise network.
Today we ask: Will these guidelines ensure an effective mobile security strategy?
Sensitive patient data needs to be protected, especially on mobile devices
Given the sheer number of breaches, it’s no surprise that there is now a greater emphasis placed on protecting electronic medical records and on securing their delivery to, or receipt from, mobile devices. This helps avoid any issues related to identity theft or privacy as a result of unprotected data. If data is left unprotected any time it is stored, collected or accessed on a smartphone or other mobile device, it is particularly vulnerable. Not only are mobile devices misplaced or stolen regularly, but users also frequently connect to unsecured Wi-Fi networks. However, if data is encrypted, even if a hacker gains access to a data center or taps into network traffic, the data is unreadable without the encryption key. Email encryption solutions can also be implemented to shield data while in transit. With patient records and billing information communicated between insurers, patients and doctors’ offices, this is key.
The guide serves as an affordable and easily accessible resource of information
Primarily designed for security engineers and IT professionals, the guide is free of charge and offers step-by-step instructions. This can be useful for organizations with access to these types of experts, but for a smaller organization, resources might be more limited.
A challenge with this type of general guideline is that the underlying technology is changing rapidly. Individual apps are constantly pushing out updates, operating systems are regularly updated and new device models are released each year. This means that by the time the next update rolls out, some the guidance may not apply.
Discussing ease of use
While the guide is targeted at more technical staff, it does recognize that security largely depends upon user experience. For example, the guide states that the major threats to data integrity are:
- A lost or stolen mobile device
- A user who:
- Walks away from a logged-on mobile device
- Downloads viruses or other malware
- Uses an unsecured Wi-Fi network
The guide offers process diagrams to aid organizations in designing the secure exchange of data. However, while recognizing that human error is a major threat, it does not provide as much advice on mitigating such human error. For example, internal procedures and instructions in the event that a device is lost or stolen (the how-to’s of a proper response), devices that are or are not allowed (for example, disallowing jailbroken devices), and approved third-party apps used to protect mobile devices and data (hint: look for apps that keep data off the device entirely).
While it’s impossible to create and implement guidelines that apply to organizations of every size and account for every possible scenario, the mobile security guidelines put together by NIST offer a solid building block for healthcare organizations. Ultimately, implementing necessary security measures must be balanced with ensuring that healthcare workers can easily use the technology to perform their day-to-day responsibilities. If technology is cumbersome and difficult to use, employee adoption and buy-in is sure to be slow, leaving healthcare professionals looking for work-arounds to avoid using the solutions. These are risks no organization should be willing to take.
Learn more about preventing PHI being stored on mobile devices here.