Keeping devices and data safe in hospitals and clinical office environments can be hard, but an even more difficult challenge is protecting data when healthcare professionals leave the hospital.

When clinicians and caregivers leave the controlled environment and venture into patients’ homes, all of the same worries about data and device security remain, and all of the controls these professionals typically have around network access and device usage go out the window. To account for this, mobile healthcare professionals should structure their thinking along two main lines: protecting their devices and ensuring the integrity of the networks and applications they access. Here are four tips to help you do so:

1. Mandate devices with built-in high-end security

For ultra-mobile workers, devices have to be convenient portals to all their needs, but they must also be protected against loss, theft and unauthorized usage. The security of the hardware makes a difference here. A Bring Your Own Device (BYOD) program may deliver freedom, but you can enforce higher security if you can control device selection even more tightly, either through Choose Your Own Device (CYOD) or Corporate Owned, Personally Enabled (COPE) approaches.

How to create a mobile-first hospital

icon of a document
White Paper

Get your free guide to modernizing clinical communications with smartphones. Download Now

Look for devices with Trusted Execution Environment (TEE) key stores, burned-in digital certificates for device identification, secure boot technology to block rollback and rooting of devices, and firmware-based kernel checking. These types of devices can give you a strong base that makes protecting the device — and by extension, your applications and PPI — much easier.

2. Secure devices with advanced tools

With a secure base, layering on software tools to increase security becomes simpler. Select an advanced mobile device management (MDM) tool, also called enterprise mobility management (EMM) or unified endpoint management (UEM), that can handle whatever devices you expect to encounter, and make sure that enrollment in the MDM happens before the device goes out into the field.

What kinds of MDM policies are needed for mobile healthcare workers? Implement strong controls on application store choice (only allow authorized stores), application block lists (include all applications that cannot be installed), software updates (require regular check-ins and updates for both operating systems and installed applications), remote device wipe capabilities and device unlock authentication controls.

Install next-generation endpoint security tools to detect and block malware and deliver host intrusion prevention — similar to how traditional antivirus works on Windows. The value of next-generation protection on mobile devices is evident in light of the types of malware threats these devices face. Because their operating systems and operating models are significantly different from those of traditional Windows and MacOS computers, the techniques used to breach them are different as well.

In addition, consider using device partitioning to divide the mobile device into two isolated partitions: one for “work” and one for “home.” Partitioning can dramatically reduce healthcare compliance issues in dual-use mobile devices, especially smartphones.

For example, with Android Enterprise, a Work Profile allows healthcare IT managers to create a truly isolated environment within an Android smartphone or tablet. The Work Profile can only launch approved “work” applications, and personally downloaded applications aren’t even visible when the work profile is unlocked. The Work Profile can have its own VPN, its own encrypted storage and even its own isolated clipboard. Using a well-protected, partitioned device can deliver better security and a more convenient workflow than a situation where the clinician has to juggle two devices without mixing things up or losing one.

3. Use advanced authentication

Traditional two-factor authentication is often a source of frustration for healthcare teams, but ultra-mobile environments are a great place for innovation around authentication. Managing tokens or using fingerprint readers may be impractical because healthcare users often have gloves on, so consider devices that provide hands-free biometric authentication, such as the fingerprint and facial recognition capabilities built into Samsung smartphones and tablets.

Biometrics simplify device unlock, and they can also be used for application authentication, providing a higher level of security than simple passwords. Standards like FIDO help to extend biometrics all the way from the device to the application without using easily stolen passwords. Employing faster authentication tools such as these is critical to making end users’ lives simpler and maintaining the additional security of biometric or two-factor authentication.

4. Move to a zero-trust model

When a healthcare professional is in the field, it can be difficult to tell what type of network they will be using. Carriers may offer a penumbra of security, but the most common access point in the home is an unsecured Wi-Fi network. The plethora of untrusted and possibly malicious networks in the field indicates an obvious choice: trust nothing. The traditional answer to the issue of unsecured networks would be to build a VPN tunnel and encrypt every bit of traffic leaving the mobile device, even basic internet traffic. This is still an option for complex healthcare IT application environments.

But there is an alternative, and ultra-mobile healthcare teams are a great excuse to explore new paradigms. The more modern approach shifts network security away from the 1990s-era “crunchy shell with a chewy center” architecture. Zero trust removes the implicit trust typically afforded to office or corporate networks. If you adopt Zero trust, you don’t need to build elaborate VPN infrastructures for mobile devices. Of course, you still have to make sure that all application traffic is encrypted, usually by adding a TLS/SSL layer, if one isn’t already present.

One of the basic ideas behind Zero trust is that access to applications and services is conditional — it’s not just a question of authentication but also of the state of your device, where you are and even the time of day. Security enforcement systems can check the status of the device using an installed MDM client and define access controls using tools such as Samsung Knox Attestation.

As breach after breach has shown, devices and networks remain constant avenues for data loss. When mobile healthcare workers hit the road, focusing on a few basic security strategies, such as employing biometric authentication, zero trust, and secure hardware and software, can help to protect critical data and applications.

Watch this free webinar on managing employee devices using Samsung Knox and Zero Trust. Or, take this quick assessment to evaluate your hospital’s technology use and get personalized advice.

Posts By

Joel Snyder

Joel Snyder, Ph.D., is a senior IT consultant with 30 years of practice. An internationally recognized expert in the areas of security, messaging and networks, Snyder is a popular speaker and author and is known for his unbiased and comprehensive tests of security and networking products. His clients include major organizations on six continents.

View more posts by Joel Snyder