Top 3 Ways to Succeed with Healthcare IoT, Mobile Device Strategies

August 20, 2018 - Healthcare organizations looking to enable more effective workflows and speedier access to data are searching for mobile device strategies that will allow them to harness the power of the Internet of Things (IoT).  

Staying flexible and secure while managing mobile devices is a challenge, especially as rapid innovation puts pressure on providers to future-proof their infrastructure without breaking the bank.

“[Healthcare organizations] are looking at how to make themselves more agile,” says Red Hat Director of Healthcare Craig Klein. “Looking at all the changes that have happened and are happening in healthcare, organizations need to figure out a way to be able to stay as flexible and mobile as they possibly can.”

Developing a plan that includes, device security and meaningful application development can provide organizations with balanced end-to-end mobile strategy to support quality care delivery.

Managing healthcare mobile devices

READ MORE: Why Application Programming Interfaces Are Key for Healthcare

Mobile devices are not limited to the smartphones, tablets, and laptops clinicians carry to treat patients. Mobile devices also include wearables, patient monitors, and other connected medical devices that communicate data to the network.

Traditional mobile strategies mainly focus on smartphone management, or using enterprise mobility management (EMM) to make sure users are only accessing approved applications.   But as the Internet of Things expands to include even more types of devices, organizations are now challenged with making mobility management solutions much more comprehensive.

This often requires a new or reworked management solution to include management features that can be configured on devices with little or no interface.

Giving IT administrators more control over devices and visibility over the network will allow them to configure and onboard different types of devices without having to focus on the endpoint.

Virtualizing device management can give IT staff the control they need.. For example, virtual mobile infrastructure (VMI) relieves IT staff of much of the endpoint maintenance needed to manage devices by giving them remote control over endpoint devices. Remote control makes it easier to manage IoT devices that don’t have the same kind of navigable interface as a smartphone or tablet.

VMI uses the same concept as virtual desktop infrastructure (VDI). However, instead of routing desktop operating systems to mobile devices, VMI routs mobile operating systems to mobile devices. VMI relies on container technology and virtual gateways to give users access to an entirely separate device within their device.

One example of the control VMI offers is device wiping when an endpoint device is compromised.  

“The wipe request from an EMM solution is not reliable,” said Former Vice President of Avast Mobile Enterprise Sinan Eren. “The device could be off the network or out of battery. But in several cases, there is a control center an unauthorized user can access on an iOS or Android device without requiring a passcode, where the device can be put in airplane mode.”

Airplane mode takes the device off the network.  And when that happens, an EMM solution can’t send the wipe request. With a virtualized solution, the operating system is hosted in the datacenter  - and IT is in complete control.  If a device is reported lost or stolen, IT can close that device’s gateway access form the datacenter, sealing it off from the rest of the network and preventing a malicious party from using the device to gain access to the organization.

This concept also works for routine maintenance, such as OS updates. IT administrators can remotely update devices and don’t have to rely on end-users performing the updates themselves. Updates are important from a management perspective because they ensure devices are current on patches and that OSes are compatible with the applications deployed on the device.

Adding visibility and control to mobile device security

Modern healthcare mobile environments can make device security challenging due to the evolving sophistication of both external and insider threats.

Mobile devices are vulnerable to a wide variety of threats, from something as simple as losing a device to a sophisticated cybersecurity attack. What makes mobile devices particularly vulnerable is also what makes them convenient: mobility.

Mobile devices are more likely to be lost or stolen because of their size. Stolen devices with access to the healthcare network can be a gateway to protected health information (PHI). Mobile devices are also vulnerable because they have the ability to connect to networks that are outside the organizations and not regulated or protected by IT.

Phishing attacks can target healthcare mobile devices that are connecting to public networks.

Users often carry their corporate devices outside the organization during breaks or after hours. Hackers looking for specific information can track and observe user behavior to find an opportunity to bypass network security and attack a mobile device.

Educating employees on mobile device vulnerability can help protect devices from these types of phishing attacks. Once employees understand and are aware of the risks, they can do their part in protecting the network.

Although important, employee education can only go so far to protect threats leveraging mobile devices. Organizations will need to develop improved visibility into their device networks in order to truly secure their IoT infrastructure.

IoT devices can make it difficult for IT administrators to differentiate among information sources, devices, networks, and IT applications, according to AHIMA. Without proper network control and visibility, it becomes harder for IT administrators to tell what is inside and what is outside of the network.

The HIPAA Security Rule doesn’t require specific technology solutions, but it does suggest that organizations implement “reasonable and appropriate” security measures for their daily operations.

 “The Security Rule is flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments,” said HHS. “What is appropriate for a particular covered entity will depend on the nature of the covered entity’s business, as well as the covered entity’s size and resources.”

Considering current and future mobility needs and ensuring the organization has visibility and control over the network helps protect against cyberattacks.

Network monitoring solutions can help.

“Network monitoring is critical, and it’s always been critical,” Veriflow CTO Dr. Brighten Godfrey explained. “That’s done by monitoring ongoing traffic, which can be done with sampling traffic that’s flowing through the network or sampling metadata like the source and the destination. Even if you're not gathering all of the contents.”

Gathering data this way can help organizations predict vulnerabilities in mobile device connections so they can take steps prevent attacks.

Adding a layer of automation to network security takes the burden off of human IT staff, allowing them to focus on other pressing security concerns.

Developing secure and usable applications

Developing apps that have a usable and sleek user interface is important for ensuring the applications find their way into the workflow, but even the best-looking app has to be more than a pretty face, said Klein from Red Hat.  

“Healthcare mobility is very line-of-business driven,” he said. “Someone wants a pretty app so they've built the front end to make it look good. If it was done by line-of-business people, it may not be integrated well into the backend systems.”

“The most important thing to make mobile work in healthcare is tying everything together in the backend,” he continued. “The pretty interface on the front end is the easy part. Organizations tend to go after it backwards because it was always an added tool, but now it's a critical piece that has to get made properly.”

As a result, organizations deploy multiple applications that are not connected, he explained. Entities need to be fully integrated into backend systems to take advantage of these apps and use them to their full capacity.

“Entities need platforms to build on,” Klein stated. “They need something that they don’t need to think about; a platform that is automatically integrated into the backend that they can develop on time and time again.”

Low-code development platforms are a viable option for in-house app development because they allow organizations to develop apps based on a shared, consistent framework. Low-code platforms offer developers a drag-and-drop interface to develop apps. This allows organizations to develop more apps and deploy them quicker.

“If a low code platform can fulfill all their project requirements while also taking care of compliance it can be a good fit,” said Valaine Anderson, VP of Development at Caspio. “Over time, as an organization continues to deploy applications, they can use the low code platforms to build applications for multiple departments.”

The simplified development process can also relieve IT staff of front-end development duties. The drag-and-drop development style of low-code platforms allows end-users with little to no coding experience to develop app interfaces for the tools they will end up using.

This leaves IT staff free to focus on tying they backend to other systems and increases app usability because it was designed by the clinician or healthcare staff member who will be using the app on a regular basis.  

Focusing on these three areas when considering how to integrate and support mobile devices will help organizations continue to build a strong healthcare mobile device strategy.