Last year, the WannaCry ransomware attack made headlines as it hit more than 200,000 computers around the globe. It also left a particularly big impact in the U.K.: One-third of the National Health Service’s 236 trusts were affected, along with 595 doctor’s offices.
The result has been a string of breaches and losses, reinforcing healthcare as a frequently breached sector, even more so than financial services. Security problems not only affect patient care; they can also bring lawsuits if patient data is exposed.
Healthcare IT managers in the U.S. are also seeing vulnerabilities affect patient care as they fight a shortage of security talent, a surfeit of legacy equipment with known issues, and widespread issues with haphazard networking.
There’s no short answer to solving these problems, but there are some healthcare IT security best practices, assisted by automation such as a good mobile device management (MDM) toolkit, that can help.
Here are three main steps to address mobile security in hospitals.
1. Build a Culture of Security
Rather than just focusing on minimum HIPAA requirements, IT managers should try to zoom out and build a big-picture security strategy that addresses the needs of all employees — from C-level executives to floor staff. This means pushing information security education down to individual staff members, and up to the executive team, so that they understand the issues and the plans to address them. This culture extends outside of the organization to partners and suppliers, so look for vendors that are naturally aligned with your security goals.
Within this framework, mobile device security starts with appropriate policies based on a risk analysis and appropriate mitigation. Policies should detail how mobile devices are managed, whether staff are allowed to bring and use their own device, restrictions on how and where devices may be used, and the security measures and configuration of each mobile device.
IT security plans must also contend with the recovery from other types of disasters. For example, if IT networks or systems are down, healthcare staff will still need to exchange vital information, and a plan for secure communications should be in place.
However, a mobile device policy is useless if it isn’t communicated, so healthcare staff at all levels should receive training on how it affects them, and they should sign off that they understand and agree with the policies.
2. Establish Mobile-Specific Policies
Mobile devices need to be a special focus of hospital security policies because of the heavy use of tablets and smartphones. Device loss and theft are a start, but admins should also be aware of electromagnetic interference (EMI) in the medical environment, shoulder surfing of private health information by unauthorized viewers, unencrypted Wi-Fi networks and sloppy authentication practices.
Key initiatives to protect mobile devices typically include strong bidirectional authentication, both of the user and of the device, and a requirement for encryption of all Electronic Health Record (EHR) data, both on the device and in-transit over the network.
IT managers should layer additional security on top of the basic mobile device operating system. Endpoint security software helps to reduce the attack surface, and Android-specific security tools such as Samsung Knox bring additional security, such as VPN, data loss protection and containerization features, beyond basic Android operating system tools.
MDM tools are key systems for IT managers to corral devices, keep them up-to-date and in compliance with policies for authentication, encryption and end-point security.
3. Implement Strong Access Controls
Physical access controls are hard in a hospital environment, where 24/7 traffic includes a constantly rotating cast of patients, caregivers and support technicians. Devices should be protected from unapproved access, theft and unauthorized viewing.
This rotating cast doesn’t just apply to people, It also applies to devices, which may shift hands and roles every few hours. By drastically reducing locally stored data and providing access to cloud-based resources founded on user credentials, IT managers can more tightly implement strong access control policies.
At the top of all these access controls are defined rules for who can see EHR data. IT managers should grant access to EHR information based on “need to know” policies, built on top of role-based access controls. While this can be done by applying specific profiles to phones, data separation is also an easy way to segment certain types of data.
EHR access controls have implications for other parts of security policy, including logging, log maintenance, device remote wiping policies and sharing of user accounts.
Access to networking should be a primary concern as well, and MDM tools can help to enforce these policies on the hardware side. Physical Ethernet ports should all be protected using NAC technology to prevent unauthorized users or devices connecting to the hospital backbone.
Furthermore, wireless networks should be carefully segmented, with separate firewalled access defined for guests, medical and non-medical staff, and medical and non-medical IoT devices. End users must use WPA2-Enterprise wireless networks that authenticate both the user and the device and provide strong encryption.
Regardless of hospital IT infrastructure, administrators need to develop a multi-faceted approach to mobile security to keep patient and employee data safe. By combining education, mobile-specific policies and access control, IT departments can create a solid foundation against any future cyberattacks.
Are unpatched security vulnerabilities worth the risk? A recent report shows just how much known vulnerabilities can cost your business.