Healthcare has earned an unfortunate reputation as the most frequently breached sector, at an even higher rate than financial services. Part of the reason is the lucrative nature of its data — the average healthcare data breach costs $380 per record, compared to a global mean cost of $141, according to research from the Ponemon Institute. Security problems don’t just affect patient care; they can also bring lawsuits if patient data is exposed.
Healthcare IT managers in the U.S. are also seeing vulnerabilities affect patient care as they fight a shortage of security talent, an abundance of legacy equipment with known issues, and widespread problems with haphazard networking.
There’s no cure-all to solving these problems, but healthcare IT best practices — assisted by automation such as a good mobile device management (MDM) toolkit — can put you in a more secure spot. Follow these three main steps to strengthen your mobile security in the hospital.
1. Build a Culture of Security
Rather than just focusing on minimum HIPAA requirements, IT managers should try to zoom out and build a big-picture security strategy — one that addresses the needs of all employees from the C-level executives to floor staff. This means pushing information security education down to individual staff members and up to the executive team, so that they understand the issues and the plans to address them. This culture extends outside of the organization to partners and suppliers, so look for vendors that are naturally aligned with your security goals.
Within this framework, mobile device security starts with appropriate policies based on a risk analysis and appropriate mitigation. Policies should detail how mobile devices are managed, whether staff are allowed to bring and use their own devices, restrictions on how and where devices may be used and the security measures and configuration of each mobile device.
IT security plans must also contend with the recovery from other types of disasters. For example, if IT networks or systems are down, healthcare staff will still need to exchange vital information, and a plan for secure communications should be in place.
However, a mobile device policy is useless if it isn’t communicated, so healthcare staff at all levels should receive training on how it affects them and be required to sign off that they understand and agree with the policies.
2. Establish Mobile-Specific Policies
Given the heavy use of tablets and smartphones, mobile devices need to be a special focus of hospital security policies. Device loss and theft are a start, but admins should also be aware of electromagnetic interference (EMI) in the medical environment, shoulder surfing of private health information by unauthorized viewers, unencrypted Wi-Fi networks, and sloppy authentication practices.
Key initiatives to protect mobile devices typically include strong bidirectional authentication, both of the user and of the device, and a requirement for encryption of all Electronic Health Record (EHR) data, both on the device and in-transit over the network.
IT managers should layer additional security on top of the basic features of the mobile device operating system. Endpoint security software helps to reduce the attack surface, and Android-specific security tools such as Samsung Knox bring additional security (such as VPN) data loss protection and containerization features.
MDM tools are key systems for IT managers to corral devices and keep them up-to-date and compliant with policies for authentication, encryption and end-point security.
3. Implement Strong Access Controls
Physical access controls are hard in a hospital environment, where 24/7 traffic includes a constantly rotating cast of patients, caregivers and support technicians. Devices should be protected from unapproved access, theft and unauthorized viewing.
This rotating cast doesn’t just apply to people. It also applies to devices, which may shift hands and roles every few hours. By drastically reducing locally stored data and providing access to cloud-based resources founded on user credentials, IT managers can more tightly implement strong access control policies.
At the top of all these access controls are defined rules for who can see EHR data. IT managers should grant access to EHR information based on “need to know” policies, built on top of role-based access controls. While this can be done by applying specific profiles to phones, data separation is also an easy way to segment certain types of data.
EHR access controls have implications for other parts of security policy, including logging, log maintenance, device remote wiping policies and sharing of user accounts.
Access to networking should be a primary concern as well, and MDM tools can help to enforce these policies on the hardware side. Physical Ethernet ports should all be protected using NAC technology to prevent unauthorized users or devices connecting to the hospital backbone.
Furthermore, wireless networks should be carefully segmented, with separate firewalled access defined for guests, medical and non-medical staff, and medical and non-medical IoT devices. End users must use WPA2-Enterprise wireless networks that authenticate both the user and the device and provide strong encryption.
Regardless of hospital IT infrastructure, administrators need to develop a multifaceted approach to mobile security to keep patient and employee data safe. By combining education, mobile-specific policies and access control, IT departments can create a solid foundation against any future cyberattacks.
Learn more about how healthcare technology solutions can improve care and protect data.