There are mitigations of course, Adkins points out, many of which are detailed in depth in this NIST Special Publication 1800-1b Securing Electronic Health Records on Mobile Devices, which stresses detailed risk assessment and appropriate security controls to mitigate risk in these environments.
It’s not as if healthcare organizations haven’t tried to keep their networks and mobile apps secure. They have. It’s just that many didn’t go about it well – at least not initially.
Gary Sheehan, chief security officer at technology and security services provider ASMGi, explains most healthcare organizations tried to keep data safe by instituting restrictive use policies. But that’s changing, Sheehan says, as advanced hospitals and health care providers are now embracing innovation, and are relying more on secured and encrypted environments on cloud and mobile platforms to do so. “There’s a lot to think about to keep everything secure and a healthcare environment compliant, but we’ve seen more and more organizations find it is worth the effort,” Sheehan says.
“The key to creating a successful, secure environment is to build a system that allows doctors and nurses to continue doing exactly what they want to do – just to put the right tools in place to help them do it the right way,” Sheehan says. “Hospitals and organizations can install layers of security into mobile devices, securely use cloud services and track data access usage. The real challenge is making sure the apps used on the phone and within the cloud are both secure and easy to use. Ease of use is critical. If it’s not convenient, people will naturally look to find an easier way or they simply won’t use the technology."
Tom Davis, CTO at LANDESK, advises healthcare IT teams what he things they need to do, such as ensuring mobile devices are hardened, that software is patched and up to date, that an accurate enterprise inventory of assets is in place. Davis says that it’s especially important that healthcare organizations centrally manage data and not allow data to be downloaded onto endpoints. In addition, healthcare providers need to remember to continuously educate their employees when it comes to secure mobility and encourage swift data breach notification.
“With data on them, when a loss happens or if someone had unauthorized access, it's best to be informed quickly by the users without penalty to them or fear of action against them. Create the right privacy responsibilities with your mobile employees to lessen the time to notify,” he says.
“The model to move to is to store the data in the cloud where it is encrypted and secure until the mobile app accesses it and not stored locally at all,” says Williams.
Sounds simple, but that doesn’t mean it’s easy. And if recent history of healthcare breaches are any indication, it’s going to take some time to mitigate the risk of there continuing to be a great many healthcare breaches.
Sign up for CIO Asia eNewsletters.