Information Security is a growing concern across all Health and Human Services (HSS) agencies as well as hospitals, doctor offices and any organization dealing with Personal Identifiable Information (PII) or Protected Health Information (PHI). Specifically, the proliferation of mobile devices and their potential for storing and transferring sensitive information requires a new approach to how the data owners and agencies address cybersecurity. A March 2013 survey conducted by Kandar Media1 found that “almost three-quarters (74%) of the physicians surveyed use a smartphone for professional purposes.” As BYOD (Bring Your Own Device) is now common in the commercial world and the Federal government considers similar policies, a proactive strategy to protect data accessed via mobile devices is critical in the eternal information security battle.
Is the healthcare industry ready for mobile device integration? The not-so-simple answer is “yes.” Mobile devices such as smartphones and tablets are so tightly woven into the technology fabric of most businesses and increasingly, federal agencies, that one cannot ignore the potential risks and opportunities. If businesses want to remain competitive or a federal agency with continuing budget cuts and has stakeholder expectations to do more with less, they have to embrace mobile devices as part of the solution. In addition to the traditional mobile devices such as tablets, laptops, and smart phones; hospitals, HHS agencies, and doctors must consider their medical devices and tools as an extension of their mobile device capability. Most of the new equipment used for healthcare has some sort of operating system and software that enables the device. These devices communicate across traditional networks, wireless, Bluetooth, and infrared passing images, patient information, and potentially other PII or PHI.
Mobile devices do expose every agency to significant risk. At the most recent BlackHat USA conference in August 2014, there were several briefings and training sessions dedicated specifically to hacking and compromising mobile devices. Interestingly enough, there were even a few briefings on hacking medical devices. Gartner lists “Mobile Device Diversity and Management” and “Mobile Apps and Applications” as 2 of their Top 10 Strategic Technology Trends for 20142. The trend over the past several years shows that the interest in medical device and mobile device hacking continues to increase. So, if you are a CIO or CISO, you are likely asking yourself, “Why would I want to allow mobile devices on my network or in my hospitals if they present such a security risk?” The answer is that the time and effort spent on preventing mobile device access is better spent minimizing the level of risk to an acceptable level, while gaining the benefits such as increased work performance, productivity, and efficiency.
Benefits of BYOD
Productivity – The simple fact is that if individuals are able to check email on their smart phones, they will. This means you can grow the effective work day of each worker from the time they wake up until the time they go to bed. It is human nature to want to be helpful. If workers are given the opportunity and convenience of completing work on their personal devices, they will do so. If you can give them the capability to go beyond email and log into applications that support their job, many people will immediately fix a problem, as opposed to waiting to do so until they are in the office. Patient care can be brought to a new level. Maybe someone who calls the doctor’s office after 6pm on a Friday will not hear the typical voicemail stating, “The office is closed, if this is a life threatening emergency …” Instead, you could send an email with your contact info and problem to Dr. X and know that it was received and is less likely to be misunderstood. The on-call physician could respond to emails, call the patient back, or send a prescription to the drug store. All of the activities could be time stamped, tracked, and managed through mobile apps on the same mobile device that the physician is carrying all the time. The list of examples of the benefits of productivity and gained efficiencies from BYOD can go on and on.
Mitigates the resistance to “Change” – Everyone loves technology and talks about how easy technology has made life. Why, then, are people so resistant to change when it comes to introducing new technology into the work environment? The only way to make something better is to “change” it, right? By allowing BYOD, you gain a better buy-in from employees and the working staff through familiarity with “their” technology. The change is still happening; you are just allowing individuals to hold on to their technical “security blanket.”
Concerns and Myths with BYOD
The number one misconception I hear when BYOD is discussed is that if you implement a Mobile Device Management (MDM) solution, your information and data are protected. That is like a farmer saying that if he puts a fence around the hen house, he doesn’t have to worry about the fox anymore. MDMs are great, but they are only one line of defense and to be honest, MDMs are best at keeping the users from doing bad or stupid things unintentionally (and sometimes intentionally). As mentioned above, mobile device exploits are trending in the hacker community for a reason: people use them for more than just personal use.
Another misconception I hear is a lost device means lost data. Again, this is not true. There are many different types of technology available that can allow you to back up data to the cloud to include contacts, applications, photos, and data. In addition, there are many apps and MDM solutions that provide mobile device tracking and remote wiping. Some MDM solutions can get very granular with compartmentalization and only wipe certain parts of a lost device or a BYOD device from someone who leaves an organization. The concern is that you are relying on the device owner to report the lost device and during that time, data could be compromised if it is stored locally.
Mobile devices are going to change constantly and every agency, CIO, CISO or anyone responsible for managing a BYOD policy, has to be agile and adaptive to technology. Don’t get stuck in the mindset of traditional security approaches because that is industry standard. If you hear someone trying to sell you industry standard, run away! Industry standard is another way of saying that the solution meets the bare minimum, and nothing more.
You don’t have to spend a lot of money to implement effective security. Combine multiple technologies and capabilities to create true defense in depth. Areas to consider are MDM solutions, encryption of data, geo-tracking capabilities with automated device wipe, sandboxing applications to keep all data and information on the backend, using encryption for all work communication, security awareness training, antivirus, spam filters, phishing filters, and of course physical security, to name a few. In August 2012, the Federal Government developed A Toolkit to Support Federal Agencies Implementing Bring Your Own Device (BYOD) Programs3. This guide is a good start to addressing security issues with BYOD, but is only a start.
Many federal agencies have struggled greatly with how to implement and securely integrate BYOD within their agency. There is no magic bullet for BYOD. For federal agencies in the healthcare arena, it is only a matter of time before you succumb to the BYOD tsunami. Is managing BYOD impossible? No, but it sure is complicated. Federal healthcare specifically needs BYOD to take advantage of the benefits mentioned above. HIPAA compliance can be achieved, PII and PHI can be protected, and the threat of data loss can be mitigated, but never eliminated. As stated earlier, dating back to March 2013, nearly three quarters of all health workers use a smartphone for professional purposes. The industry is already using mobile devices. Why not put policy in place and add security? It is time to embrace BYOD in healthcare and take advantage of the benefits.