Security leaders are constantly challenged by threats from the growing use of mobile devices in the workforce. Nowhere is this more evident than in the healthcare industry. Healthcare has recently seen an explosion of technology innovation aimed at improving patient care, and much of this innovation involves the use of mobile devices in clinical workflows, especially BYOD. The resulting proliferation of mobile devices accessing healthcare systems has blurred the lines between personal and business use for clinicians and has healthcare security executives searching for ways to manage the growing threats. Providers have made significant investments deploying technical security controls which are designed to protect their organizations, but the BYOD devices often fall outside the scope of those controls. CISOs can quickly find themselves struggling to understand who their BYOD users are, what kind of devices they have, how those devices are secured, and where their data is being stored and accessed from.
Clearly, securing mobile devices can be more straightforward when using corporate-owned devices with traditional mobile device management (MDM) technology. However, the costs for procuring and maintaining those devices can quickly spiral out of control. Furthermore, clinicians often resist solutions that involve carrying multiple devices, instead favoring a single device which is most often their personal device of choice.
Complicating this problem, even more, is the fact that the organization does not even employ many of the BYOD users. A typical healthcare provider may grant mobile access to students, residents, researchers, and independent community physicians and their staff. Traditional MDM technologies may not work well in this scenario since some of these users may already have another organization’s MDM client controlling their device. In addition, MDM provides the organization with some degree of control over the clinicians’ personal device, and those users often become concerned about their personal privacy in those scenarios.
"Innovation will continue to drive the use of mobile devices in the clinical workflow. CISOs will have to embrace this and partner with clinical teams to avoid being perceived as a barrier to improved patient care"
Security teams often find that BYOD users may attempt to circumvent controls and find ways to connect their personal devices to the corporate wireless networks to take advantage of faster speeds, since the bandwidth on some hospital guest networks may be throttled. This puts them at odds with security teams, who understandably want to restrict the devices which are allowed to connect to their secure networks.
Security leaders may find their efforts limited if they lack executive support. Cybersecurity has traditionally not been a priority within healthcare, and some clinicians have been successful in getting executives to reverse security decisions by claiming the controls get in the way of patient care or even endanger patient safety. However, healthcare executives have become more aware of the cybersecurity risks and the impact on their business and patient safety and are less likely to make quick decisions to remove security controls. The industry is coming to terms with the fact that cybersecurity actually increases patient safety and privacy and enables better care by ensuring clinical systems remain available.
Navigating these mobility challenges can be difficult for healthcare CISOs, and it usually requires the use of both technical and non-technical tactics. Spending time to develop good policies on the use of mobile devices within their organization is usually a good place to start. Policies should be specific about the controls required, the type of data gathered from BYOD devices, and assurances from the organization that they will respect the personal privacy of BYOD users. Security departments should work with HR, Compliance, and Legal when creating the policies and data from mobile devices used in providing patient care may need to be included in the patient record to avoid violations of HIPAA laws.
BYOD devices should be included in asset inventories, and there needs to be processes in place to identify them and enforce basic security controls such as encryption, PIN codes, and timeouts. Having a method to identify terminated users so that access can be deprovisioned and data removed from the device is critical. When it can be used, most MDM solutions provide a method of only removing corporate data and keeping personal data intact. Security should avoid check-the-box controls that do little to reduce actual risk and when possible, leverage other technologies like virtualization to keep data off the device. Comprehensive monitoring of mobile device access will help alert security teams when inappropriate use is detected.
Relationships are critical to the success of any CISO, and mobile device threat management is no different. When a CISO explains the risks in a language physicians can understand, they are more likely to accept the security controls and work with security teams. When they feel a part of the decision process, they view it more like a partnership, and the CISO may even find a few security champions that can help them promote other security projects in the future. Scare tactics about all the bad things that can happen rarely get you more than short-term gains.
Finally, continually educating the users on the threats and risks will help avoid future incidents. Proper use of mobile devices should be included in security awareness training and frequently reinforced. Training will be more successful if the best practices can be related to their personal use of the devices, such as how the same practices can protect their mobile banking usage.
Managing mobility risks will not get any easier for healthcare security executives. Innovation will continue to drive the use of mobile devices in the clinical workflow. CISOs will have to embrace this and partner with clinical teams to avoid being perceived as a barrier to improved patient care. While the specific challenges may be different, the objectives for CISO’s is the same as other security challenges – Help the organization achieve its business objectives while managing risk and protecting patient safety and data privacy.
"The opinions of the editorial are my own and do not reflect those of Methodist Le Bonheur Healthcare"