Securing mobile health records remains a significant challenge

Healthcare organizations are investing big into mobile medical records, but are they keeping them secure?

Fewer enterprise technologies are growing more rapidly than mobile health (mHealth) software and devices. Healthcare organizations are investing heavily in their mobile devices and applications, a market that will grow from its current size of $10 billion to $31 billion by the year 2020, according to market research firm Research 2 Guidance. Healthcare organizations hope that mHealth will enable their front-line providers to have the access to the information they need wherever they may need it.

Criminals have also taken notice. A quick search of the Privacy Rights Clearinghouse data breach database finds that since 2005 there have been 1,889 healthcare data breaches that have been made public consisting of 421,885,347 medical records exposed. Ponemon Institute’s Annual Benchmark Study on Privacy & Security of Healthcare Data estimates that criminal attacks aimed at healthcare data have risen 125% since 2010.

When it comes to security, mHealth poses some unique challenges. Many medical devices and apps can’t be patched as swiftly as traditional enterprise systems because device certifications forbid it, clinical environments are chaotic, and many clinical environments are understaffed when it comes to security and IT.

“This is a big problem because the healthcare industry today isn’t even good at securing traditional environments. There’s the potential for security and privacy lapses when the healthcare records move between different providers,” says Amrit Williams, CTO at CloudPassage. “That breaks the chain of trust. You could have service providers with access using different forms of transporting and encrypting the data. The data may be stored locally, which increases the potential for compromise if the device is lost or stolen."

Ciaran Bradley, chief product officer at AdaptiveMobile

“People don't think of hospital equipment as being a source of security issues, but with many of these devices having mobile capabilities and storing data (part of the healthcare Internet of Things), the potential for hacking is great,” says Ciaran Bradley, chief product officer at mobile network security firm AdaptiveMobile. “Many of these devices have only the basics in security - such as password protection or firmware that may or may not have regular updates, leaving diagnostic and other data at risk."

The U.S. Food and Drug Administration has taken notice of the weak security in clinical devices, and late last month published draft cybersecurity guidance that is directed at medical device manufacturers and how they can better assess and respond to security related device flaws.

Beau Adkins, co-founder and CTO at Light Point Security, says healthcare environments are also facing many of the security hurdles other types of enterprises' face when trying to secure mainstream mobile devices, including relatively immature mobile operating systems when it comes to enterprise device management and security capabilities. “Security was not at the top of the list of priorities. Stock Android devices are notorious for coming bundled with what basically amounts to spyware,” Adkins says.

There are mitigations of course, Adkins points out, many of which are detailed in depth in this NIST Special Publication 1800-1b Securing Electronic Health Records on Mobile Devices, which stresses detailed risk assessment and appropriate security controls to mitigate risk in these environments.

It’s not as if healthcare organizations haven’t tried to keep their networks and mobile apps secure. They have. It’s just that many didn’t go about it well – at least not initially.

Gary Sheehan, chief security officer at technology and security services provider ASMGi, explains most healthcare organizations tried to keep data safe by instituting restrictive use policies. But that’s changing, Sheehan says, as advanced hospitals and health care providers are now embracing innovation, and are relying more on secured and encrypted environments on cloud and mobile platforms to do so. “There’s a lot to think about to keep everything secure and a healthcare environment compliant, but we’ve seen more and more organizations find it is worth the effort,” Sheehan says.

“The key to creating a successful, secure environment is to build a system that allows doctors and nurses to continue doing exactly what they want to do – just to put the right tools in place to help them do it the right way,” Sheehan says. “Hospitals and organizations can install layers of security into mobile devices, securely use cloud services and track data access usage. The real challenge is making sure the apps used on the phone and within the cloud are both secure and easy to use. Ease of use is critical. If it’s not convenient, people will naturally look to find an easier way or they simply won’t use the technology."

Tom Davis, CTO at LANDESK, advises healthcare IT teams what he things they need to do, such as ensuring mobile devices are hardened, that software is patched and up to date, that an accurate enterprise inventory of assets is in place. Davis says that it’s especially important that healthcare organizations centrally manage data and not allow data to be downloaded onto endpoints. In addition, healthcare providers need to remember to continuously educate their employees when it comes to secure mobility and encourage swift data breach notification.

“With data on them, when a loss happens or if someone had unauthorized access, it's best to be informed quickly by the users without penalty to them or fear of action against them. Create the right privacy responsibilities with your mobile employees to lessen the time to notify,” he says.

“The model to move to is to store the data in the cloud where it is encrypted and secure until the mobile app accesses it and not stored locally at all,” says Williams.

Sounds simple, but that doesn’t mean it’s easy. And if recent history of healthcare breaches are any indication, it’s going to take some time to mitigate the risk of there continuing to be a great many healthcare breaches.

Join the CSO newsletter!

Error: Please check your email address.

More about CSO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George V. Hulme

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts