The healthcare industry wants to take advantage of appropriate anytime, anywhere electronic access and record processing technologies in order to streamline medical care. Doctors, nurses, technicians and administrative staff are already working with the personal mobile devices of their choice for increased productivity and connectivity.
As such, the healthcare IT organizations are increasingly challenged by the inevitable proliferation of non-corporate devices accessing corporate resources - a trend known as "the consumerization of IT" - and the inherit security risks these devices bring, including potentially unauthorized access to electronic personal health information (ePHI). A progressive approach to mobile security is more relevant than ever.
The Need for Mobile Security in the Workplace
International research firm IDC earlier this year questioned nearly 3,000 information workers and over 600 employers across 10 countries on this trend. It found that a staggering 95 percent of respondents regularly used technology they had purchased themselves for work. However, according to IDC's study, there is a critical disconnect between employees and employers about how consumer technologies are used in the enterprise. Employers don't seem to know how many or what mobile devices are used in their workplace. Workers were making use of consumer devices at twice the rate employers believed they were.
The great adoption of personal mobile devices on institution networks and the availability of a wide variety of mobile medical applications, including the more than 750 medical apps available on Apple's app store, is the new field operations reality for healthcare IT. Personal mobile devices, including smartphones, netbooks, USB peripherals, e-readers and tablets, represent new threat vectors and security risks.
For example, what can happen when a mobile phone is lost? How is information protected? Are all the wireless access points within the enterprise safe? Can that new smartphone or e-reader take compromising photos? How are the personal mobile devices of employees, guests and contractors restricted, and how are security policies enforced?
Mobile security is as much about people and process as it is about technology. According to IDC, 52 percent of workers say they are allowed to store personal data on the enterprise network, but only 37 percent of employers say this is the case, so policies are not being effectively communicated or understood. Users need to understand policies in order to safeguard corporate information that may exist on the mobile device, as well as be educated on possible threats. Healthcare organizations must get high-tech on mobile security - assessing the risks, use cases, policies and available controls for the use of personal mobile devices, as well as the wireless infrastructure.
Managing Mobile Security
Here are some tips on managing mobile security risks that should help to ensure connectivity, productivity and security within healthcare organizations:
1. Scope out the types of users and their necessary access to healthcare applications, resources and sensitive health, financial and/or personal identifiable data. Establish basic policy, monitoring procedures and controls that align to ensuring the protection of and appropriate access to ePHI. Respective policies should be published, communicated, monitored and enforced. For example, top executives may be allowed to use their iPad to access the same resources on the enterprise network as they would with their laptops, but other users could be limited to Internet access only.
2. Create an acceptable use policy that informs end users of what mobile devices are allowed access to corporate resources and what uniform monitoring of their use of resources may take place. Also inform end users of necessary precautions to beef up mobile security and to nip potential threats such as malware, phishing or stolen passwords in the bud. Given the likelihood of employees, guests and contractors using wired and wireless networks for personal use, guidelines and security measure should be in place for guest networking.
3. Clearly maintaining a current and secure operating environment for remote systems, notebooks, iPads, smartphones and other mobile devices is paramount. Giving mobile security a high priority involves keeping devices up to date, as well as using current anti-virus software and the security capabilities of the device, such as changing the root password and employing encryption on smartphones.
Employ secure remote access safeguards such as VPN (virtual private network) clients and multi-factor authentication (name, password and other personal identifiable information) according to user type and access to sensitive network resources, applications and ePHI. Web filtering software can also help to restrict access to insecure and inappropriate websites in order to maintain productivity. Examine data leakage prevention solutions to reduce the risk of sensitive information leaving the network.
4. Set up perimeter defenses, including firewalls, virtual private networking, proxy servers and other means of network segmentation. Users should have gated access to resources. The enterprise can apply greater network segmentation to create additional barriers between general and more sensitive network resources. IT organizations can also employ network security products, such as web application firewalls, to alleviate malicious activity indicative of attacks against web-based applications.
5. Implement separate wireless networks for employees and non-employees. While employees can access the enterprise wireless network using their credentials, non-employees, patients and guests can be provided access only to the Internet. Not only will maintaining separate wireless networks enhance mobile security, it will also help to also preserve bandwidth for medical staff use.
Facilities should apply appropriate wireless access points (WAP) configuration standards that include strong authentication and encryption. Examine wireless security technologies that can enforce uniform WAP configuration, as well as identify and block rogue WAPs to prevent access credentials and other sensitive information from being unintentionally provided to malicious entities.
6. Among the more significant problems that IT organizations face when tackling mobile security is getting a handle on who and which devices is their network. Another issue is having the means to effectively enforce that access, whether the users are remote, or bringing in smartphones and other mobile devices onto the network, potentially circumventing defenses.
Network access control solutions provide endpoint and mobile visibility. Additionally, they can block, limit or automatically remediate access violations to ensure that all access to enterprise network resources and data is according to access policy. By automatically assessing who the user is (employee, contractor, patient, guest), what device the user has (system, device, iPad, etc.) and the configuration integrity of the device, the enterprise can realize its investments in mobile security and assure endpoint compliance. For example, unknown users with iPads and other mobile devices attempting to access the enterprise network can be re-directed to a registration page and subsequently have restricted access.
7. Lastly, monitoring solutions such as Security Information Event Management and log management applications can centralize mobile security controls, improve incident response and automate reporting. This augments an organization's overall security posture and support for compliance mandates. These tools can enable the enterprise to tighten up on mobile security and track access to resources.
Healthcare organizations must embrace the fact that employees, guests and contractors are using mobile devices, both personal ones and those provided by the enterprise itself. By examining mobile device use; assessing use cases, risks and requirements; and implementing appropriate and reasonable safeguards, end users should be able to connect, comply and compute with confidence.
Scott Gordon is the vice president of worldwide marketing at ForeScout
Technologies. He frequently presents on security and risk management
topics and is the author of Operationalizing Security: Putting the Top
10 SIEM Best Practices to Work.