You would be hard-pressed to find a healthcare worker who does not use a smartphone or tablet for work. Be it for taking notes during a phone conversation, searching for references, using medical apps, tapping out a quick email on the go, video conferencing with a patient, or signing medical image files and prescriptions, medical professionals are enjoying the benefits of the mobile technology.
However, extending healthcare data into employees’ personal devices is not without risks. Blurring traditional security perimeters and aggravating the problem of loss of data visibility, Bring Your Own Device (BYOD) is one of the top causes of data breaches in healthcare.
Acknowledging The Problem
A recent report by PwC (PricewaterhouseCoopers) rates the mobile devices third on the list of top health industry issues.
The 6th Annual Benchmark Study on Privacy & Security of Healthcare Data by Ponemon found that the security flaws in the employees’ personal mobile devices are the top security threat. The cost of data breaches in healthcare was $6.2 billion in 2016. The average cost of a data breach per healthcare organization is more than $2.2 million.
HIPAA Journal published the list of the largest healthcare data breaches in 2016, with BYOD mobile devices and insiders causing the data breaches with the most harm to patients. Even when the insiders do not mean to cause a data breach, their behavior and the lack of cybersecurity awareness create a fertile ground for hacks.
Healthcare organizations have tight budgets, so adopting BYOD seems like a cost-effective strategy with little to no investment required. However, the advantages of the BYOD pale when you look at it from the perspective of data security, HIPAA compliance, and the cost of identifying and mitigating a single data breach. Nearly half of all Ponemon respondents experienced more than 5 data breaches in 2 years. Top that with the fact that many data breaches go undetected for months, sometimes years.
Criminal attacks top the list of causes of data breaches, with the malicious insider following suit. Ransomware plagues the healthcare sector, according to numerous industry experts speaking at HIMSS17. Employee negligence and the insecurity of BYOD, the use of public cloud services and consumer-grade mobile apps for telehealth have created a vast attack landscape the criminals are exploiting successfully.
Patient billing information, Social Security numbers, and employee records are the low hanging fruit that earns hackers a fortune. According to Experian, the value of healthcare records is around $50 on the dark web, more than the cost of a stolen Social Security or credit card number.
BYOD in Healthcare
As the medical workers use the same device as their work and personal phone, the organizations lose control and visibility of the healthcare data they are liable for protecting. A recent report from a security firm Skycure found that 99% of doctors use mobile devices to share patient data, including the medical images. They use SMS and consumer apps such as WhatsApp, FaceTime, Skype and Google Hangouts for work. 14% of BYOD devices used by doctors are not password-protected.
Both iOS and Android have OS-level vulnerabilities, and being the two most widespread mobile operating systems in the world, they are also the two most targeted platforms with thousands of exploit kits available on the dark web. More than 5,000 malware variants targeting smartphones, and 250,000 ransomware variants are released quarterly, according to security experts.
Google and Apple release new versions of their mobile OSs leaving large populations of users with devices that no longer support these newer versions. At the same time, the newer versions come with numerous vulnerabilities. Add in the trend to jailbreak iOS and root Android, and the threat landscape becomes insurmountable for an average healthcare organization.
Consumers delay installing security patches, and fail to use passcodes. BYOD devices used in healthcare often end up in the wrong hands. Friends, and children of the medical staff access these mobile devices on a regular basis.
On the software level, BYOD devices are jam-packed with consumer apps and games. Banks and insurance companies are blacklisting apps such as WhatsApp, Skype or Google Hangouts, prohibiting employees from using them for any work-related communication. Numerous organizations have banned games like Pokemon Go due to their privacy-invasive features. Even if the developers of these apps mean no harm, their apps can be compromised and used by malicious actors.
Now, the doctors rely on consumer apps to deliver care. According to PwC, mobile health app adoption has doubled since 2015, with 81% of clinicians saying the apps help coordinate patient care. Yet, privacy is not on the table for the majority of consumer grade apps.
The Journal of the American Medical Association published a study that scrutinized Android diabetes apps. At the time of the study, the researchers found 271 apps on Google Play. Six months later, 60 of the apps were no longer available. 81% had no Privacy Policies. 41 apps had privacy policies, but 80% of those collected user data, 50% of them shared user data without the user consent. Only 4 apps’ policies claimed they would ask users for permission to share their data with third parties. The point is: the market of consumer mobile apps is unregulated. The developers often do not know if they are liable to any federal regulations. Accountability as such is non-existent for consumer mobile app developers.
Windows is considered to be the most secure mobile OS platform by security experts, and hackers alike. The hackers disfavor Windows mobile devices due to multiple layers of security, such as encryption, Windows authentication, and sandboxing. The business, military and industrial users turn to Windows tablets instead of Android or iOS. Consumers, however, base their buying decisions on ads and OS adoption among family and friends. Device security is seldom a factor.
In medical tablets, embedded RFID Imprivata Single Sign-On and fingerprint scanner/biometric reader, or Smart Card/CAC reader paired with Windows authentication protect the health data from unauthorized access. Your staff can leave their medical tablets in the patient rooms, at the reception desk, in hallways, without compromising the data security. The health data is secure with the medical tablets even in the event of a device loss or theft.
Full disk encryption, remote lock and wipe and advanced remote administration allow your IT admins to locate the device or wipe it. Sandboxing allows your admins to isolate some programs while blacklisting apps and connections allows protecting the ePHI from potentially harmful applications or games.
Medical tablets allow for remote device control, so your admins can push updates, patches or troubleshoot remotely. With medical tablets, you have the full data visibility and control without compromising the usability and security. Windows is the most adopted OS globally, so your employees won’t have trouble getting used to the user interface and functionality of the Windows medical tablets.
In addition, medical tablets come with regular and mini USB ports, which means your staff can use regular USB sticks or hard drives to write, read and encrypt data on external storage.
Usability-wise, medical tablets are easier to use. They come with a digitizer stylus, and recognize input form a gloved hand. Medical tablets come with barcode scanner embedded, so you get multiple devices in one.
The allure of BYOD is its cost-free immediacy. The price of BYOD, however, is high when data breaches occur, when providers lose data visibility, and control. If protecting patient data is on the table, providers need solid security. Solid security is not an instantly downloadable commodity, but a result of the design choices that put security at the core of the medical tablet’s concept.