mHealth: Mitigating Mobile Security Risks

With the use of mobile devices in the healthcare industry come several risks and points of entry, according to the U.S. Department of Homeland Security. These points are listed below, as reported in the National Cybersecurity and Communications Integration Center’s bulletin, Attack Surface: Healthcare and Public Health Sector:

Insider: This can include employees and the ability to transfer information by using portable media devices or the cloud. The most common method of data exfiltration involves network transfer by email, remote access channel or file transfer.
Malware: Malware created to steal information includes keystroke loggers, remote access trojans and more.
Spearphishing: This is an email-based attack in which malicious attachments or links are sent to management, administrators and other key personnel, bypassing email filters and antivirus software in order to penetrate a network.
Web: Silent redirection, obsfucated JavaScript and even search engine optimization (SEO) are a few web behaviors used to gain access to a network. Web servers with injection flaws or broken authentication may also lead to a data breach.
Equipment Loss: As more and more sensitive data is stored on devices such as laptops, desktops, backup tapes, smartphones, flash drives and others, the theft or loss of ePHI (electronic protected health information) increases due to poor physical security mechanisms and hardware encryption.

It’s important to take note of the several points of entry in order to start the risk analysis/assessment any healthcare organization and business associate should undergo in efforts to mitigate data breach risks, especially if they use mobile devices to transfer, store or collect ePHI.

The bulletin also includes advice on taking a ‘layered security approach’ with these example best practices (for detailed tips and more on IT security and HIPAA compliant hosting, read our white paper, HIPAA Compliant Hosting):

Operating well-maintained external facing firewalls, network monitoring techniques, intrusion detection techniques, and internal network segmentation, containing the medical devices, to the extent practical.
Establishing strict policies for the connection of any networked devices, particularly wireless devices, to Health Information Network (HIN) including: laptops, tablets, USB devices, PDAs, smartphones, etc. such that no access to networked resources is provided to unsecured and/or unrecognized devices.
Establishing policies to maintain, review, and audit network configurations as routine activities when the Medical IT network is changed.
Implementing safe and effective, but legal patch and software upgrade policies for Medical IT networks which contain regulated medical devices.
Securing communications channels, particularly wireless ones, by the use of encryption and authentication at both ends of a communication channel.

Although the risk of using mobile in healthcare may be considerable, the benefits are high – 40 percent of consumers reported they would pay for mobile remote monitoring, according to a presentation on mobile growth in Michigan given by Linda Daichendt of the Mobile Technology Association of Michigan at Online Tech’s Spring into IT seminar event. Likewise, 40 percent of physicians said they could eliminate up to 30 percent of office visits by using mobile health strategies.

When it comes to mobile apps, research firm Gartner estimates that total app revenue will increase to 30 billion by 2013 – with over 21 billion downloads and an 87 percent increase in free or ad-funded apps.

With no signs of slowing down, the mobile industry is pushing ahead with the need for regulatory bodies and IT security experts to keep up.

References:
Attack Surface: Healthcare and Public Health Sector (PDF)
The Mobile Explosion: What Does it Mean for You, Your Business, and Michigan’s Economy (PDF)