Hospitals and clinics need mobile devices to treat patients more effectively and accelerate communications, but they can’t afford to cut corners on mobile security, because mobile security threats are ubiquitous — and potentially devastating.
Every company is under some kind of mobile attack, according to a 2017 study by Check Point, and McAfee reports that cyberthieves are even using the leading app stores to load malware onto user phones. The healthcare industry is cited by Verizon as one of several industries where data security is compromised because businesses are rushing solutions to market with a lack of cyberthreat awareness.
Keeping devices and data safe in hospital environments is hard enough, but risks spike even higher when healthcare professionals leave the controlled environment of the hospital and venture into patients’ homes. All the worries about device and data security remain — while network access and device usage controls go out the window.
Where can a healthcare organization begin its journey towards mobile device security? Structure your thinking along two main lines: protect the device, and armor the network and applications.
Protecting the Device
For healthcare power users who may never touch a controlled environment, the device must be a convenient portal for all their needs — but at the same time be protected against loss, theft and unauthorized usage. The best approach is to specify a particular smartphone or tablet for end users that has high-end security built in. Samsung devices are inherently equipped with Samsung Knox, which features hardware-based security enhancements and device partitioning — separating corporate applications and data from personal use — based on Knox Platform for Enterprise.
Next, select an advanced enterprise mobility management (EMM) tool that can handle whatever devices you expect to encounter, and make sure that both the endpoint security and EMM agents are installed before the device goes out into the field.
Since end users will typically be using the same device for both personal and clinical applications, it’s important to implement strong controls on:
- Application store choice (only allow authorized stores)
- Application blocklists (applications that cannot be installed)
- Software updates (require regular check-ins and updates for both operating systems and installed applications)
- Remote device wipe capabilities
- Device unlock authentication controls
Biometrics simplify device unlocking and can also be used for application authentication, giving a higher level of security than simple passwords. Ultra-mobile healthcare workers often have gloves on, which makes fingerprint authentication impractical. Instead, look for devices that provide hands-free biometric authentication, such as the iris scanners built into newer Samsung smartphones and tablets. Standards like FIDO, which extend biometrics from the device to applications without using easily stolen passwords, are one key to making end-user lives simpler while maintaining security.
Armoring the Network
When someone is in the field, there’s no telling what type of network they might be using. Carriers may offer a modicum of security, but the most common access in the home will be through an unsecured Wi-Fi network.
To protect end users against network-based attacks and snooping, IT managers usually pick one of three strategies:
- Ensure that all application traffic is encrypted using TLS/SSL communications.
- Tunnel all corporate applications through a VPN, possibly double-encrypting some applications.
- Tunnel all internet and corporate application traffic through a VPN.
Although all three have their pros and cons, the sensitivity of healthcare data combined with the diversity of network types that users encounter encourage a very conservative approach: tunneling all traffic through a VPN. With this method, everything the device puts on the network is sent down an encrypted and authenticated VPN tunnel to a corporate VPN gateway, where it can be filtered, checked for malware, controlled, logged and protected before going to either corporate applications or the internet.
Using a VPN tunnel this way is not particularly efficient from a network point of view, but it eliminates any possibility of man-in-the-middle attacks or third-party eavesdropping. With the availability of cloud-based VPN and proxy services, some of these inefficiencies can be eliminated.
Healthcare IT managers should carefully balance the costs and benefits of VPNs and backhauling traffic as part of their mobile security strategy. Even if a full VPN tunnel is not the right answer for your environment or users, it should be carefully considered as an option.
Listen to our free webcast featuring Gartner Security to see how Samsung Knox compares to other mobile security platforms.