Healthcare is going mobile and clinicians are utilizing more advanced devices as they cut their cords. But as staff members move around more freely, how can providers ensure that their patients’ protected health information (PHI) stays secure?
Protecting those devices – and the data they access – through secure enterprise mobility management tools (EMM) is becoming an increasingly important strategy for organizations.
Enterprise mobility management has matured over the past several years as organizations realize the risks associated with mobile devices, particularly with mobile applications accessing electronic health records and PHI. As security risks surrounding these datasets increase, provider organizations must keep pace with evolving threats.
Healthcare mobility environments are increasingly complex as employees use their own devices to access PHI. Unsecure user devices brought in under BYOD policies and proprietary third party apps leave security holes that hackers will use to bypass network security.
“The healthcare industry is highly targeted from a security perspective,” Travelers VP Chief Underwriting Officer Mike Thoma told HITInfrastructure.com. “The value of healthcare records is so high because there is so much information that can be gleaned from a healthcare record. Addresses, SSNs, payment methods, insurance information as well as the health information of the individual.”
When users access healthcare data on an unsecured device, they are committing a HIPAA violation. An unsecured mobile device that is lost or stolen with PHI on it is a massive security risk to the healthcare organization, and can result in significant fines and a damaged reputation.
Implementing a complete EMM solution is not easy. Some of the top challenges organizations face when deploying and upgrading an EMM solution include the scope and depth of the deployment. EMM solutions need to cover a high volume of devices as well as keep track of information on the device.
IT departments must have a strong mobile management strategy in place not only to ensure that all apps are running correctly, but also to detect abnormal behavior that could be a sign of a potential attack.
To stay on top of the latest exterior and insider threats, healthcare organizations must understand how to deploy a secure yet unobtrusive enterprise mobility management solution.
Identifying insider and exterior mobile threats
Healthcare organizations are particularly vulnerable to certain types of dangers targeted to their mobile infrastructure, including phishing and shadow IT.
Phishing attacks are common in the industry. Phishing takes advantage of users by disguising malware behind a trusted and recognized source, like a bank or online service provider, tricking the user into giving away sensitive data including passwords, credit card details, or other personal information.
Mobile devices are particularly susceptible to a type of phishing called the “watering hole” attack.
Users often carry their corporate devices outside the organization during breaks or after hours. Hackers looking for specific information can track and observe user behavior to find an opportunity to bypass network security and attack a mobile device.
If a number of employees from one organization go to a particular coffee shop around the corner and connect to the shop’s WiFi, for example, a hacker can use that less-secure WiFi network to gain access to the device.
Watering hole attacks are specific to mobile devices. Simply educating employees on the risks involved with PHI on public networks is not enough. Organizations need to have an enterprise mobility management solution in place to detect and protect clinical data.
Healthcare organizations are also threatened from within by shadow IT. This is any technology being used without the consent of the IT department.
“This could be any type of messaging app employees use or programming IT does that is outside of the norm or what has been approved,” 2nd VP at Travelers Global Technology Kirstin Simonson said.
“People might be very surprised at how prevalent shadow IT is in healthcare. If we went into any healthcare organization and really did a deep dive not only into employees but also into what IT is doing to make their jobs more efficient, we might be surprised how much unauthorized shadow IT there is.”
Shadow IT can take many forms, said Thoma, describing a colleague’s experience with an unsecure deployment of Amazon’s Alexa digital assistant.
“The clinic they were visiting was using Alexa to schedule appointments,” Thoma explained. “Not only was it completely non-secure, but Amazon mines all that data. It created a huge risk.”
According to Simonson and Thoma, shadow IT is not limited to employees using outside apps, but also covers IT programming as well. Using Alexa in a healthcare setting is a less common occurrence of shadow IT but still poses a significant risk because third-party programming is being used to organize and access PHI.
While employee education is the first and most important step to preventing healthcare phishing and shadow IT, organizations with the correct EMM tools in place are less likely to risk the exposure of their patients’ PHI.
Understanding the components of Enterprise Mobility Management (EMM) solutions
There are four core capabilities that comprise an enterprise mobility management strategy.
Mobile device management (MDM) is a life-cycle management technology that manages OS configuration, device provisioning, and remote access for troubleshooting. MDM keeps track of device activity and protects the device if it is lost or stolen. It also gives IT control to reset hardware remotely and configure network settings. MDM solutions support different OSes and standardizes iOS, Android, and other OS management.
MDM is the foundation of current EMM strategies. However, additional mobility management needs, such as application or content management, are not covered by a stand-alone MDM solution.
Mobile application management (MAM) controls user access to custom and commercial applications within the network. MAM controls which policies belong to which apps. Standalone MAM solutions are effective for bring-your-own-device (BYOD) scenarios because they allow IT administrators to simply manage the apps without a more intrusive, device-centric MDM solution.
MAM solutions protect app data by wrapping it in an encrypted tunnel and forcing users to access the app via a virtual private network (VPN). Controlling app access to data allows IT administrators to manage the way data is accessed and prevent unwanted communications from reaching sensitive clinical data.
Mobile content management (MCM) stores and delivers content and services to mobile devices. MCM handles file-sharing among users and manages which files are stored on the device and for how long. As healthcare organizations migrate to cloud-based storage, MCM can help to distribute files from the cloud in a way that is compatible with the mobile device.
Identity and Access Management (IAM) is the main security component of an EMM solution and ensures that the right users are accessing the right data at the right time. IAM protects the network by controlling the information users can access and authenticating the user’s identity.
IAM monitors a user’s digital identity within the network and outlines the permissions each user has and what data they are authorized to access.
The four core capabilities of EMM work together to provide end-to-end security for mobile devices and the data they access.
What is in the future of enterprise mobility management?
Virtual mobile infrastructure (VMI) is a promising strategy for bringing more security and control into the mobile device environment. Using virtualization to give users remote access to their mobile environment could potentially isolate many security concerns currently plaguing the healthcare industry.
VMI uses the same concept as virtual desktop infrastructure (VDI). Instead of routing desktop operating systems to mobile devices, however, VMI routs mobile operating systems to mobile devices. VMI relies on container technology and virtual gateways to give users access to an entirely separate device within their device.
“Enterprise mobility should not retain any corporate data or healthcare data on the mobile devices and offload everything to the infrastructure and the server side,” said Former Vice President of Avast Mobile Enterprise Sinan Eren.
“VMI offers an unconstrained, native mobile experience while users access it, but does not run the risk and liability of carrying the data around with you in your pocket risking losing the mobile device.”
VMI declutters the management process and gives organizations a better way to govern data beyond wiping compromised devices.
“We run into a lot of challenges initially implementing a similar MDM technology,” Eren noted. “The MDM wipe request from an MDM or EMM solution is not reliable. The device could be off the network or out of battery, but in several cases there is always a control center you can access on an iOS or Android device without requiring a passcode where the device can be put in airplane mode.”
“Control center access gives you unhindered access to a device potentially holding very vital information and chances to hack into the device,” Eren added. “Whether leveraging weaknesses in touch ID, trying to brute force the password, or leveraging weaknesses in the boot loader, you can attack this device. MDM and EMM solutions will have no chance to send a wipe request because the device is basically off the network.”
While VMI is not currently widespread in healthcare it has the potential to solve many of the problems currently facing traditional EMM solutions.
As healthcare organizations continue to battle mobile security concerns, they must carefully deploy EMM solutions that can encourage positive user behaviors while protecting sensitive health data. Without a comprehensive EMM strategy in place, organizations may be leaving themselves vulnerable to HIPAA violations and other risks that could threaten the viability of the mobile ecosystem.