Fewer enterprise technologies are growing more rapidly than mobile health (mHealth) software and devices. Healthcare organizations are investing heavily in their mobile devices and applications, a market that will grow from its current size of $10 billion to $31 billion by the year 2020, according to market research firm Research 2 Guidance. Healthcare organizations hope that mHealth will enable their front-line providers to have the access to the information they need wherever they may need it.
Criminals have also taken notice. A quick search of the Privacy Rights Clearinghouse data breach database finds that since 2005 there have been 1,889 healthcare data breaches that have been made public consisting of 421,885,347 medical records exposed. Ponemon Institute’s Annual Benchmark Study on Privacy & Security of Healthcare Data estimates that criminal attacks aimed at healthcare data have risen 125% since 2010.
When it comes to security, mHealth poses some unique challenges. Many medical devices and apps can’t be patched as swiftly as traditional enterprise systems because device certifications forbid it, clinical environments are chaotic, and many clinical environments are understaffed when it comes to security and IT.
“This is a big problem because the healthcare industry today isn’t even good at securing traditional environments. There’s the potential for security and privacy lapses when the healthcare records move between different providers,” says Amrit Williams, CTO at CloudPassage. “That breaks the chain of trust. You could have service providers with access using different forms of transporting and encrypting the data. The data may be stored locally, which increases the potential for compromise if the device is lost or stolen."
People don't think of hospital equipment as being a source of security issues, but with many of these devices having mobile capabilities and storing data, the potential for hacking is great.
Ciaran Bradley, chief product officer at AdaptiveMobile
“People don't think of hospital equipment as being a source of security issues, but with many of these devices having mobile capabilities and storing data (part of the healthcare Internet of Things), the potential for hacking is great,” says Ciaran Bradley, chief product officer at mobile network security firm AdaptiveMobile. “Many of these devices have only the basics in security - such as password protection or firmware that may or may not have regular updates, leaving diagnostic and other data at risk."
The U.S. Food and Drug Administration has taken notice of the weak security in clinical devices, and late last month published draft cybersecurity guidance that is directed at medical device manufacturers and how they can better assess and respond to security related device flaws.
Beau Adkins, co-founder and CTO at Light Point Security, says healthcare environments are also facing many of the security hurdles other types of enterprises' face when trying to secure mainstream mobile devices, including relatively immature mobile operating systems when it comes to enterprise device management and security capabilities. “Security was not at the top of the list of priorities. Stock Android devices are notorious for coming bundled with what basically amounts to spyware,” Adkins says.
Sign up for CIO Asia eNewsletters.