Mobile Devices in Healthcare: Managing Risk. June 2012

Transcription

1 Mobile Devices in Healthcare: Managing Risk June

2 Table of Contents Introduction 3 Mobile Device Risks 4 Managing Risks and Complexities 5 Emerging Solutions 7 Conclusion 7 References 8 About the Author 9 About CHAN HEALTHCARE 10 Key Contacts 10 2

3 Introduction Since the 1876 invention of the telephone, the growth of communication and information collecting devices has continually accelerated. According to internetworldstats.com 2.3 billion of the world s 6.9 billion people were internet users at the end of 2011, reflecting 528% growth over the last decade. Mobile Marketing published an article (April 4th, 2011) on digitalbuzzblog.com, noting that 1.08 billion of the world s four billion mobile phones were Smartphones. They also predicted that mobile internet users (onethird of desktop users in 2007) will surpass desktop internet users in Many parts of our day are made easier with mobile devices. Their application to the work environment has been a natural consequence. Yet in a world where privacy is equally valued, use of mobile technology introduces complexities. In 2011, for the first time, Smartphone and tablet shipments exceeded those of desktop and notebook shipments. To be competitive in our changing world, a business must accommodate all communication channels. Healthcare is no exception. It is a competitive market and healthcare organizations must provide the best technological resources they can afford. According to recent surveys reported by Mobile Health News, Saurage Research and CompTIA, more than 50% of physicians use a Smartphone for work purposes. Inexpensive technology options and more user-friendly devices have allowed usage of these devices to grow quickly. Almost one-third of providers use their Smartphones or tablets to access Electronic Medical Record In 2011, 1,546 million (EMR) and Electronic Health Record (EHR) systems, with an additional mobile devices were 20% expected to start within the next year. Also, 38% of physicians sold, up 11.1 percent with Smartphones use medical applications on a daily basis, with that compared with number increasing to 50% in the next 12 months. The accelerated development of new technology is exciting; however, the growing use of mobile devices and the constant change in technology also brings risk. A high regulatory expectation of patient privacy means healthcare organizations must be constantly aware of security risks and balance high quality patient care with security and privacy. Mobile devices are a phenomenal way to provide high quality care, but it is important to be aware of the major risks and ways to mitigate them. This thought paper will discuss developing business risks and complexities as mobile devices are integrated into operations and share tips on ways to manage security and privacy risks related to these devices. 3

4 Mobile Device Risks A risk by definition is something that can impede the achievement of strategic and business objectives. While developing technology can facilitate better care, it can also quickly put the organization s reputation at risk. Privacy is prized by the public and has resulted in several laws over the last two decades that significantly penalize organizations who do not protect it. The use of mobile devices in healthcare, both hospital and personally owned, presents a number of risks to the security of patient and healthcare information. It is important to be aware of these risks and mitigate them through process design, policy enforcement and controls when possible. The following are some of the key risks related to mobile devices in healthcare: 1. Lack of training and awareness of security procedures and mobile device usage policies. 2. Lost or stolen devices resulting in access to sensitive information including electronic Protected Health Information (ephi). 3. Unauthorized storage of ephi on mobile devices. 4. Unauthorized access and use of devices and the applications and data that reside on them. 5. Lack of proper virus protection and software controls. 6. Installation of unapproved or malicious applications. 7. Jailbreaking of devices resulting in increased risk from malicious software. 8. Use of unsecured wireless networks. These basic risks will continue to grow in the upcoming years due to constant changes in the mobile device market and regulatory environment. New products continue to be released at a rapid pace, and healthcare organizations will continue to enable adoption to stay relevant in a competitive market. Taking appropriate steps to understand the risks can improve the organization s ability to better manage them going forward. The following details can assist healthcare organizations in taking these first steps. 4

5 Managing Risks and Complexities User Training and Awareness Many users of mobile devices are not aware that leaving a device unlocked without a password and then connecting to , company sites, external websites and unsecured wireless networks presents significant risk to the organization. All it really takes is one employee to leave a mobile device open with Electronic Personal Health Information (ephi) on it to cause legal and financial problems for the organization. Policies and access protocols must ensure all users are trained on proper security procedures for using these devices before they are issued or allowed access to the organization s systems. Lost or Stolen Devices Portability is one of the major benefits of using mobile devices. However, from a security perspective, this means devices can be easily misplaced or stolen. It is critical that procedures formalized in the Information Technology (IT) department anticipate lost or stolen devices and provide an appropriate response. Organizations that allow use of personal mobile devices should work with IT to enforce the same security protocols in the event that a personal device is lost or stolen. All employees should be required to agree to these procedures before issuance of a device. All devices should be password protected and encrypted so unauthorized users cannot access any information on the device without proper authorization. It is advisable for IT to have the ability to remote lock and wipe these devices, virtually securing them even in the event they are lost or stolen. Unauthorized Storage Rapid advancement of mobile technology has increased the ability of these devices to store ephi. Maintaining ephi across more tools with mobility increases the likelihood of inappropriate disclosure or theft. Policies that limit storage of ephi to approved platforms should be developed and communicated to all employees. The IT Department should also work to deploy available technological resources to prevent storage on these devices, whenever possible. The technologies used can include tools that limit the types of information stored on the device, prevent all device storage, or limit the types of software used on the device. Unauthorized Access and Use of Devices In the past inappropriate access to information was protected by a door, a private desk and a computer password. Mobile devices remove two of these barriers and greatly increase the need for a clear security policy and enforcement processes. Strict password protection and encryption of physical storage on the devices are minimums. All organization-owned devices should be configured to have both password controls and encryption enforced through security policies, or through the use of other mobile device management software. Mobile device management software provides better control for devices that are connected to company resources, enhances security of devices and allows for managing Mobile Device Management (MDM) Software MDM software is used to track mobile devices being used on-site, control devices which access network data and typically provides the ability to push out security setting policies. Many applications claim to provide these services, top names include, Boxtone, Apperian, Odyssey Software, Maas360, and MobileIron. However, MDM Software should always be acquired based on the unique needs of the environment. multiple types of devices with one product. However, many users connect their own personal devices to check company and access other resources. It is important to configure all settings to require these devices abide by the company security policy as well. As devices multiply their management becomes more complicated, however mobile device management solutions are rapidly evolving as well. 5

6 Managing Risks and Complexities, continued Lack of Proper Virus Protection and Software Controls As capabilities of mobile devices expand, so does the capacity to spread viruses. It should be standard practice to install virus protection on all devices that are connecting to a hospital network in any way. Without virus protection, there is a risk that mobile devices can infect the network, leading to loss of systems, breached data and privacy concerns. Policies regarding virus protection and software controls should be regularly communicated to all employees. Only four percent of Smartphones and tablet computers shipped in 2010 had some form of mobile security downloaded and installed. Unauthorized or Malicious Applications If you have downloaded an application onto a mobile device through an iphone, Blackberry, or Android, you are familiar with the warnings regarding what the downloaded application will be able to see and do on the device. Typical warnings include access to contacts, , phone status, network usage and more. For hospital-owned mobile devices, installing any unauthorized application brings additional risk. Written and programmatic policies should be employed to prevent installation of unauthorized software. For example, mobile device management software can help enforce corporate policies regarding applications through the use of application whitelists for approved applications and blacklists for applications that should not be installed. More advanced features and the ability to deploy applications can be provided through the use of mobile device management software. Jailbreaking Jailbreaking is a term used for hacking a mobile device and freeing it from restrictions and controls imposed by the device manufacturer or mobile device service provider. Jailbreaking provides users and applications with administrator-like privileges to the device and the data stored on the device. Websites and software specific for jailbreaking mobile devices are widely available on the internet and through application markets. Mobile device policies should clearly prevent users from jailbreaking any hospital-owned mobile device or using any personally owned device that has been jailbroken to access hospital , networks, data or applications. To enforce this policy, mobile device management software should be deployed. Unsecured Wireless Networks Unsecured, or open, Wi-Fi networks do not require the use of authentication controls (passwords) and do not use encryption to prevent the capture and eavesdropping of unsecured network traffic. Even the use of some secure Wi-Fi networks (requiring authentication) like Wired Equivalent Privacy (WEP) present risk, as there are existing tools and techniques to break WEP keys. To protect traffic between an end user s device and a hospital s network, an encrypted Virtual Private Network (VPN) should be used along with the use of Secure Socket Layer (SSL) encryption for all web-based resources and . Policy should enforce such an approach. Less than one in 20 Smartphones and tablets have third-party security software installed in them, despite a steady increase in threats. 6

7 Emerging Solutions Solutions and software to manage mobile devices change as quickly as the devices. Many companies currently have systems that allow for some security to be managed on their devices. However, many standard security settings do not provide full mobile device management for any type of device that connects to the hospital network. As technology continues to evolve, there will be many options available to manage devices. While all products have their advantages and disadvantages, it is important to remember that there are many different types of devices with different security configurations. When choosing what works best for your organization, it is important to consider a self-inventory of the risks present with these devices and the controls needed to mitigate them. Assessing your current mobile device management processes with a few key risk questions like the ones below can get you started. Remember to include key stakeholders from all areas of your organization to help find the right solution. 25% of health care providers surveyed use tablets at their practice, while another 21% expect to do so in the next 12 months. 1. Do you have an inventory of all mobile devices used within business operations? 2. Do you have a security policy that covers use of mobile devices? If so, which has been effectively communicated? 3. Is your security policy enabled by technology to track and enforce security standards? 4. Is there a defined approval process for granting mobile devices access? 5. Do processes exist to determine that all devices have appropriate security settings? 6. Does the organization have the ability to delete data if devices are lost or stolen? Conclusion The use of mobile devices will continue to grow and the changing security landscape of these devices will always make them a security concern, specifically in a privacy conscious healthcare environment. Healthcare organizations must continually review the risks of mobile devices in their facilities and update policies and procedures regularly. Mobile device management and security should always be a formal part of the comprehensive data access and security plan. These devices are designed to help employees increase efficiency and provide a better patient experience. A strong foundation for mobile device security can help to achieve the ideal intended uses. The healthcare organization should always set the tone that security of these devices should be a primary objective for everyone. Constant education and user awareness can help to prevent problems in the future. If managed properly and securely, these devices will continue to be a benefit to the organization. 7

8 References CompTIA. CompTIA. N.p., n.d. Web. 15 May Canalys Insight. Innovation. Impact. Canalys Insight. Innovation. Impact. N.p., n.d. Web. 15 May Department of Health and Human Services. DHHS. N.p., n.d. Web. 15 May hhs.gov. Dolan, Brian. mobihealthnews. mobihealthnews. N.p., n.d. Web. 15 May mobihealthnews.com. Hepburn, Aden. Infographic: Mobile Statistics, Stats & Facts 2011 Digital Buzz Blog. Digital Buzz Blog Digital Campaigns, Online Marketing, Social & More. N.p., Web. 4 Apr digitalbuzzblog.com HIMSS (Healthcare Information and Management Systems Society). HIMSS (Healthcare Information and Management Systems Society). N.p., n.d. Web. 15 May Home mobithinking. Home mobithinking. N.p., n.d. Web. 15 May IDC Home: The premier global market intelligence firm. IDC Home: The premier global market intelligence firm. N.p., n.d. Web. 15 May ISACA. ISACA. N.p., n.d. Web. 15 May Marketing Research Firm Branding Strategies & Competitor Analysis Saurage Marketing Research. Marketing Research Firm Branding Strategies & Competitor Analysis Saurage Marketing Research. N.p., n.d. Web. 15 May Online Marketing Agency - Minneapolis, MN Spyder Trap Online Marketing. Online Marketing Agency - Minneapolis, MN Spyder Trap Online Marketing. N.p., n.d. Web. 15 May spydertrap.com. Predictive Analysis Intelligent Analysis Strategic Market Research Strategy Analytics. Predictive Analysis Intelligent Analysis Strategic Market Research Strategy Analytics. N.p., n.d. Web. 15 May

9 About the Author Jeff Good is a Certified Information Systems Auditor and holds a Bachelor of Science degree in Computer Management (Information Systems) from Eastern Illinois University. Mr. Good has worked in the Information Technology (IT) Area for over 10 years and serves in CHAN HEALTHCARE s IT Audit Practice. His audits have covered several health systems and provide a solid industry perspective. Mr. Good participates in client risk assessments and system implementation reviews to help clients to identify weaknesses in their most critical areas. Through these projects he has provided clients with detailed issues and action plans to help strengthen internal controls in many critical hospital areas. Prior to joining CHAN HEALTHCARE, Mr. Good worked at a professional firm in an IT Risk Advisory Services Practice serving many different clients and industries. 9

10 About CHAN HEALTHCARE CHAN HEALTHCARE was the first and remains the only company in the United States focused exclusively on providing internal audit and consulting services to the healthcare industry. CHAN HEALTHCARE has implemented internal audit and consulting services at more than 25 healthcare networks, with ongoing operations in over 700 healthcare facilities nationwide. Our 320+ Associates represent CHAN HEALTHCARE to provide independent assurance that business risks and opportunities are identified and managed from implementing our Client Value Model to providing services in Coding, Compliance, Information Technology, Data Analytics, and Governance education. Find out more about CHAN HEALTHCARE at or call Key Contacts Dan Clayton Director of Knowledge Management CHAN HEALTHCARE Sarah Edwards Chief Communications Officer CHAN HEALTHCARE Copyright 2012 CHAN HEALTHCARE LLC. All rights reserved. 10