To address this problem, hospitals and healthcare facilities need to implement “a good, stress-tested security program that allows [them] to identify, protect, detect, respond to and recover from security incidents,” he says. The program should also “educate, train, and test system users on phishing, a common mode of delivery for ransomware… [and] regularly update and patch all systems, including web plug-ins.”
Unsecure medical devices
“An increasing risk to healthcare networks is the ever-expanding number of internet-connected devices, such as medical devices [e.g., MRI machines], most of which are not secure or engineered to be secure,” says Mac McMillan, president & CSO at CynergisTek. “This is fast becoming the biggest shadow IT nightmare for IT managers and compliance officers. [And] managing this challenge requires asset management, strict controls on the network, network segmentation considerations, inventories and tracking of devices, [as well as] monitoring manufacturer sites for patches and upgrades.”
Moreover, “healthcare organizations must ensure that their system acquisition process includes a thorough security review before purchases are made, and that the selected systems are updated as needed to remain secure,” says Trent R. Hein, cofounder & co-CEO of Applied Trust.
“Healthcare is trending toward BYOD because it combines impressive computing power and modern user interfaces with portability and unobtrusiveness, giving physicians the flexibility to use the device they’re most comfortable with,” explains James Plouffe, lead solutions architect of the ServiceConnect Ecosystem, at MobileIron.
“However, as technology becomes more mobile, data has become more portable and can get outside of a healthcare organization in unexpected ways,” he notes.
“In order for these devices to be HIPAA compliant, they must have a number of security features in place that preserve PHI,” says Marianna Prodan, senior product manager of healthcare at Accellion. “Secure access to content systems, a mobile container that segregates patient information from other information, two-factor authentication, offline PIN, the ability to wipe content from the phone remotely and app white listing are just some of the key mobile security features healthcare CIOs should look for when deploying mobile devices in their organizations.”
In addition, healthcare providers should use “tools like the Apple Device Enrollment Program (DEP) or Android Enterprise Device Owner Mode (DOM), [which] give [hospital] IT personnel ways to enable additional security capabilities and ensure that policies follow the data wherever it goes, rather than solely focusing on data within the walls of the health system,” says Plouffe.
Sign up for CIO Asia eNewsletters.