Editor’s Note: David Hood is the CEO of Hypori, a secure mobility provider of an enterprise Virtual Mobile Infrastructure (VMI) platform designed to keep all apps and data in the enterprise, leaving no data at risk.
Maintaining high levels of productivity, collaboration, and responsiveness is vital for a successful healthcare organization and healthcare leaders know that a mobile solution is a must-have if they want to stay competitive and provide top quality care to their patients. A study by Spyglass Consulting Group found that 96% of physicians are already using smartphones as their primary device to support clinical communications. But, along with the convenience and efficiency that mobility promises, comes new concerns around security and patient privacy.
Phones, tablets and laptops can be lost, stolen or hacked, an especially troublesome matter for an industry dealing with sensitive data and compliance requirements associated with regulations such as HIPPA. The Children’s Medical Center of Dallas recently learned this the hard way, being fined $3.2 Million for not sufficiently securing mobile devices and the patient data being accessed on them. And they are not alone. In the same Spyglass poll of healthcare IT and IT security practitioners, 48% said their organization had a breach involving loss or exposure of patient information in the past year, citing unsecure mobile devices as one of the biggest threats.
As the number of internet connected devices in the hands of healthcare providers has rapidly multiplied over the past few years, so has the large crop of technology vendors offering various mobile device management (MDM) and mobile enterprise security solutions. Yet, cyber breaches are getting more frequent and more damaging and incidents like the Children’s Medical Center mishap are increasingly common. Figuring out how to provide full time and affiliate healthcare providers a flexible, productive working environment and patients convenient access to providers and information, while keeping the organization and its sensitive data secure, is an ongoing source of anxiety.
When it comes to securing a growing multitude and variety of mobile devices from constantly changing and newly emerging threats, most organizations try to protect the devices and their data with one of many available mobile security software solutions. Most of these also require reliance on the user to practice good judgement and not accidentally put the company in a vulnerable position. The problem with trusting even the most well intentioned employees is that users generally don’t worry about securing enterprise data. Sure, most medical and healthcare professionals understand the gravity of patient privacy protocols, but their number one priority is the patient’s health. They are relying on the IT organization to have their backs when it comes to data security. In a survey by NetEnrich, more than half (54%) of respondents say getting employees to simply review the company’s policy on mobile devices is the most difficult part of managing employee use.
Aside from vulnerability of a user mishap, the fundamental flaw in using legacy mobile security tools is, while they allow IT to monitor and somewhat control device use and access, they are still hamstrung by the potential vulnerabilities of the underlying mobile device. Regardless of whether it is encrypted, password protected or remotely controlled by IT, the data still resides on the device, available should someone find a way past that line of defense. The recent WikiLeaks disclosure of tools the CIA uses to break encryption on many mobile apps brought this issue to light. Closer inspection of the exploits by experts found that it wasn’t flawed apps that were the problem, the tools were actually targeting the underlying mobile operating system (Android and iOS), meaning these attacks can defeat any security solutions that run on top of the mobile OS.
As long as IT addresses the security of data and access by attempting to secure the device itself, trouble can, and will, find a way in. Even if a remote wipe solution has been installed, it provides no security if the device itself is powered off or has no connectivity. In addition, Affiliate workers often do not have the hospital MDM solution installed on their devices, which can lead to “work arounds” that aren’t sanctioned, like the use of consumer messaging apps to exchange HIPPA regulated information.
The solution? Keep the data off the device. If all the sensitive patient data and company apps live in the datacenter or secured cloud, there is only one environment to protect, not hundreds or thousands of endpoints tied to different users, devices and locations. Virtual Smartphones live in the datacenter or secure cloud, but are accessed on the user’s physical device. With a virtual smartphone, apps and data appear just as if they are actually installed on the handheld device. However, nothing the user sees is on the physical smartphone. It is a mirror image of what is on the virtual smartphone, secured behind the firewall. Everything stays in a highly-protected central location, inaccessible to a hacker who has cracked a remote device. If a phone is lost or falls into the wrong hands, there is nothing on it that puts the organization or patients at risk. No wipe necessary.
It is estimated that more than 250 million Americans will use mobile devices to access the internet 2017. How many of them work in your organization? How many do you call patients? Rather than adopting costly, yet vulnerable technology and crossing your fingers you won’t get hit with a heavy fine, or something worse, healthcare providers need to find another way. Mobile use in healthcare can have many significant, positive impacts on operations, patient care and communication, but protecting patient rights and privacy is a critical priority. Virtual smartphones can give providers and patients alike the confidence that their sensitive digital information is just as, if not more, secure than documents kept under lock key.