Developing a Successful, Sustainable Mobile Device Management Program for Healthcare

The proliferation of mobile devices in healthcare has led to an increase in the number of potential threat vectors that could expose sensitive health data.

According to the Verizon Mobile Security Index 2018, healthcare organizations are the most likely to suffer data loss or downtime as a result of a mobile device security incident: 41% of healthcare respondents admitted to sacrificing security for expediency or business performance to incorporate mobile devices into their organizations, above the average of 32%.

The report states that, “Healthcare has the unenviable task of guarding large amounts of highly sensitive and personal data, while also providing quick access for medical practitioners. These risks need to be weighed against speed and accessibility. Complicated or unwieldy access systems could do more harm than good, especially in emergency situations.”

In today’s healthcare environment, every major Electronic Medical Record (EMR) system includes applications that access Protected Health Information (PHI) directly from the EMR to provide real-time feedback. But, according to the Verizon report, only 14% of organizations have implemented basic cybersecurity practices and mitigation approaches to protect the data these applications access.

And, while healthcare organizations leverage a wide variety of mobile devices to improve the patient experience and streamline care, these devices are not always using the latest version of their respective operating system, resulting in additional security gaps.

According to Mitch Parker, executive director for information security and compliance at Indiana University Health, mobile devices are interfacing with many systems throughout a provider organization, including EMR, labs, cafeteria, supply chain, radiology/picture archiving and communication, refrigeration monitoring and clinical engineer systems.

Parker, likewise, calls attention to the variety of secure messaging apps from EMR and other vendors, as well as customer-developed secure messaging applications, that often do not interoperate with other apps. For instance, a mobile app developed by an Electronic Health Record (EHR) vendor to help an organization access its infrastructure may not seamlessly integrate with additional or custom apps made by other vendors. This type of incompatibility can create inefficiency and security holes.

In addition, Parker notes that plenty of “fake apps” in consumer marketplaces often carry malware, which can end up on devices used by healthcare workers. 

For healthcare organizations contemplating a mobile device initiative, the Office for Civil Rights (OCR) recommends establishing clear policies for mobile device data security and staff training on those policies. Employee training should also include discussions on virus and malware protection.

“A lost or stolen mobile device containing unsecured Electronic Protected Health Information (ePHI) can lead to a breach of that ePHI which could trigger a Health Insurance Portability and Accountability Act (HIPAA) breach notification obligation for a HIPAA-covered entity or its business associate (the entity). Additional risks could arise when using personal mobile devices to store or access ePHI,” cautions OCR.

To avoid a HIPAA breach, organizations need to understand that consumer mobile devices are not designed for environments were security is paramount. For example, Wi-Fi, Bluetooth, cloud storage or file sharing network services may not be secured in the devices’ default settings. Mobile devices must be “properly configured and secured before allowing the device to create, receive, maintain or transmit ePHI,” says OCR.

OCR recommends that healthcare organizations use Mobile Device Management (MDM) software to manage and secure their devices. MDM should include operating system configuration, device provisioning and remote access for troubleshooting. Additional security features to consider include:

• Automatic lock/logoff functionality
• Authentication to use or unlock mobile devices
• Regular security patches and updates
• Data encryption and antivirus/antimalware software
• Remote wipe capabilities
• Privacy screens
• Secure Wi-Fi connections and virtual private networks

Organizations should also work to reduce risks posed by third-party apps by prohibiting the downloading of unapproved apps, using whitelisting to allow installation of approved apps, securely separating ePHI from apps and verifying that apps have the minimum necessary permissions required.

“A seemingly innocuous mobile app or game could access your contacts, pictures or other information on your mobile device and send such data to an external entity without your knowledge,” OCR cautions.

With a better understanding of the risks, a properly trained workforce and the right technology, healthcare organizations should be able to deploy mobile devices to improve productivity and patient outcomes while securing PHI and protecting patient privacy.