Most industries can benefit from utilizing mobile devices in the workplace, and health care is no exception. In late 2014, the HIMSS Analytics Mobile Devices Study found that around 50 percent of hospitals and nearly 70 percent of clinicians were using mobile devices to access electronic health records and other data, or to remotely serve patients. In early 2016, it's not unlikely that this number has increased. In patient care, for instance, it's easy to see the sense in replacing clunky desktop machines with tablets that store huge amounts of medical data and go wherever clinicians need them.
But going mobile is not without its risks, especially when a bring-your-own-device policy is involved – especially in health care. Hundreds of organizations in the medical sector have been breached in the past few years.
To make matters worse, recent research revealed that around eight out of 10 health care-related mobile applications are at risk of violating the Health Insurance Portability and Accountability Act. From a legal perspective, this can precipitate fines. From a practical standpoint, it can lead to data breaches that may cost medical institutions in the form of free identity theft programs for affected patients, cyberattack remediation expenses and possibly even ransom payments in the event of a crypto malware intrusion. Health care organizations should therefore be doing everything in their power to fix the problem.
Let's start with the basics. One of the big differences between a mobile computing environment and a static one is that the mobile network can be accessed from almost anywhere. One method for limiting this access is with login portals and passwords. Unfortunately, these are hardly adequate given how rampant spear-phishing tactics are. These tactics entail tricking personnel into providing login credentials by spamming organizations with malware-laced emails, or with links to fabricated webpages that mimic a company login page. In fact, you may be better off losing the password altogether.
It may sound nonsensical, but in truth, passwords for mobile environments are inconvenient, and they don't provide the type of layered security necessary to protect data. A better alternative is the use of powerful digital certificates in chorus with virtual private networks and mobile device management. A digital certificate is essentially an identification key that grants access to the devices trying to access the data.
This means that an average Joe could never access un-encrypted data if he were to somehow steal login credentials to a health care organization's online database. In fact, he wouldn't even be able to connect to the virtual private network. Without an authorized device identity, Joe is completely out of luck.
But what happens if a health care provider were to leave their employer-provided mobile device sitting on the counter of the waiting room, and Joe, who happens to be a gifted hacker takes it home with him. Wouldn't he be able to find a way to hack into the network? Not with cutting-edge authentication.
It's true that passwords are cumbersome and inefficient, but not when that password is your fingerprint. An increasing number of smartphone, laptop and tablet manufacturers are now offering biometric authentication, and it's a feature worth having.
As an added layer of protection, mobile device management makes it possible to completely lock down a device in the event that it's lost or stolen. This is an essential measure for BYOD environments.
At the end of the day, many of the prominent breaches across all industries didn't originate with a lost or stolen device. More often than not, they start with a credential theft. In fact, two of 2015's largest-scale health care-related breaches, which collectively affected about 90 million patients, are believed to have started as spear-phishing scams.
While it helps to have measures in place in the event that a device is lost or stolen, the best thing that a health care organization can do to protect its data is to encrypt it, and to leverage digital certificates for all of its devices, mobile or otherwise.