Analecta Cyber Company Blog: Cybersecurity for mobile devices in healthcare management

2016-06-01

Cybersecurity for mobile devices in healthcare management

Healthcare practices continue to deploy mobile devices for healthcare management and mobile treatment. These health information technology advances bring opportunities for significant cost savings and improved patient care; but they also bring new risks for cybersecurity and HIPAA compliance. The first step in ensuring a robust defense from cyber threats is to understand the risks these devices bring.


New Risks

The most significant threats presented by mobile devices include theft, new software to maintain and update and multiple use scenarios.

Theft is the first concern when it comes to mobile devices. Mobile devices, by definition, are easy to transport and carry. Their size, portability and integration to a health IT network are the very things that make them a valuable asset to a practice. This mobility, however, is the single greatest threat to the security of health records contained within or accessed by the device.

Each device that is connected to the healtcare provider network brings software that must be maintained. Similar to desktop computers, servers and dedicated healthcare devices, mobile technologies carry their own versions of software which must be updated regularly. The software vulnerabilities resident on a mobile device can be leveraged by an attacker to move beyond the mobile device to the core healthcare provider network.

Mobile devices are also treated more like personal devices by staff. This mixed use of a corporate resource brings new exposures to malicious software and attackers. Web browsing, social media, and personal business expose the mobile device to methods of attack that the network security defenses may not be designed to prevent.

Managing mobile device risk

Without a doubt, mobile devices are improving healthcare. Robert Clyde, ISACA Board Director, recently commented that the proliferation of mobile devices is absolutely a positive thing in the healthcare industry.

Managing risks presented by mobile devices must become a part of your HIPAA risk assessment and risk management plan. Through various controls, you can implement sound management practices that reduce your risks. Policies, procedures and technologies all fit into to the solution required to meet regulatory compliance requirements and to protect your electronic health records.

Create policies that explain clearly how the mobile healthcare devices are to be used. Ensure staff understand the policies and have an opportunity to ask questions.

If you allow mixed use the of the mobile devices, be sure to outline what types of use are authorized.

Require strong passphrases for user access, and ensure you are enabling the encrypted storage capability that comes with mobile devices.

Put procedures in place that ensure the software on these devices is updated regularly. Add mobile devices to your vulnerability assessment process.

Implement encrypted access to your wireless network. Using advanced client authentication and authorization capabilities will greatly reduce the risk of an unauthorized user connected to the network or stealing data in transit between the mobile device and the network services.

Mobile devices can bring new capability and cost reduction to healthcare practices, but it does require serious consideration to ensure the safety of electronic health records and patient privacy.