Securing Patient Data in Today s Mobilized Healthcare Industry. A Good Technology Whitepaper

Transcription

1 Securing Patient Data in Today s Mobilized Healthcare Industry

2 Securing Patient Data in Today s Mobilized Healthcare Industry BE-GOOD good.com 2 Contents Executive Summary The Role of Smartphones and Tablets in Healthcare Data Loss or Leakage in a Mobile World IT Challenges in the Healthcare Field Developing Secure Mobile Applications Speeding Deployment of Safer Apps for Healthcare Summary

3 Securing Patient Data in Today s Mobilized Healthcare Industry BE-GOOD good.com 3 Executive Summary The modern mobile worker is radically transforming healthcare. Time-stretched doctors and pragmatic nurses now rely on smartphones and tablets to keep connected while they keep moving. In hospitals and clinics throughout the country, these no-nonsense, independent, and demanding clinicians are already using iphones, ipads, and Windows Phone devices to access electronic medical records, view radiological images, reference medical journals, or file prescriptions electronically in addition to carrying out regular , collaboration, and backoffice processes. The use of mobile technology has been justified: a recent survey found that healthcare professionals save as much as a half-hour per day using mobile apps. However, even the most popular mobile apps in the healthcare industry are challenged to deliver information securely. Currently, over 10,000 mobile healthcare applications are used to access electronic health records (EHRs) daily, but the Office of Civil Rights has reported dramatic increases in the incidence of data loss or leakage through mobile devices more than half of them attributed to tablets alone. These breaches may have left the personal records of 1.9 million patients at risk. For instance, healthcare became one of the mostbreached industries in 2011, and medical records were involved in the three worst data breaches of that year. Complicating matters is the recent regulatory impact of Obama s We Can t Wait initiative, which makes the Health Insurance Portability and Accountability Act (HIPAA) even more stringent. To safeguard the use of mobile devices among healthcare providers, new HIPAA regulations insist that all patient data be encrypted at all times during transmission, at any time data resides on wireless devices, and even while it is stored within applications. These new rules mean the stakes are much higher for IT professionals in healthcare. There s greater liability, an increased chance of reputational damage, the threat of governmental fines, and other consequences. The Role of Smartphones and Tablets in Healthcare But rather than limit or prohibit healthcare employees from using mobile devices in their duties, IT managers are seeking out and embracing solutions that safeguard the behavior of these professionals to ensure compliance. Hoping to enhance mobility without restricting it, they re adopting strategies and technologies that make personal devices more productive and responsive to patients in a managed and secure way. Smartphones and tablets remain the future of high-quality, responsive healthcare. What is needed are procedures that prevent the inadvertent misuse of mobile devices to compromise patient data, and reduce the chances that users will circumvent security controls. While this presents a real challenge for IT workers, it s also a battle they can t afford to lose. The risks associated with unsecured devices and data loss in the healthcare industry could be devastating.

4 Securing Patient Data in Today s Mobilized Healthcare Industry BE-GOOD good.com Data Loss or Leakage in a Mobile World A persistent misconception in mobile security is that manufacturers devices have a built-in capacity for encryption or data protection. This is simply untrue. Most basic encryption on mobile devices occurs at the operating system level, in software, and can be limited by constraints in hardware and performance. Unfortunately, securing the device alone doesn t prevent data loss. Typically, data can be compromised when an employee simply downloads information from corporate servers to their mobile devices. Most devices are not able to encrypt application data stored on the device or while over the air. Physicians accessing healthcare records through open, unsecured WiFi networks or VPNs, cellular networks, or Bluetooth in hospitals only provide more avenues for security compromises. Furthermore, the behavior of mobile users is often a contributing factor in data loss. If a doctor or nurse copies information from a secured application into a consumer application, all bets are off. In many cases, the user does not realize they are putting patient data at risk which can translate to financial risk for your business. IT Challenges in the Healthcare Field As smartphones, laptops, and tablets flood the healthcare field, IT professionals must maintain data integrity and communication security to efficiently enforce security policies. (HIPAA has made regulations even stricter, insisting that all patient health information be encrypted at every stage of mobile access.) Also, administrators must implement all security solutions with respect for the privacy and productivity of individual users. The most successful administrators cite several areas for review. Security. Have a strong password protocol on wireless devices and configure the lock screen to activate after a short period of inactivity. Breaches. Encourage mobile users to report lost or stolen devices immediately. Turn on the remote wipe feature of wireless devices. Verify that devices meet your security requirements (make, model, OS). Access. Enable security on all hospital Wi-Fi networks. Limit access to all networks based on adherence to security policies. Do not use wired equivalent privacy (WEP); Wi-Fi protected access (WPA-1) with strong passphrases offers better security. Use WPA-2 if possible. Authentication. Change the default service set identifier (SSID) and administrative passwords. Don t transmit your wireless router s SSID. Establish a wireless intrusion prevention system. Only allow a device to connect by specifying its hardware media access control (MAC) address. Policy. Have a security and compliance management policy, complete with procedures and reporting measures in place to ensure employee compliance.

5 Securing Patient Data in Today s Mobilized Healthcare Industry BE-GOOD good.com 5 Good and HIPAA Compliance Separation of personal and protected health information Strong password protection at the application level Application level data encryption on the device and over-the-air Application level encryption addresses gaps in O.S. security (e.g. encryption on certain Android devices) Remote wipe of PHI Prevention of cut/copy/paste of PHI to non-secure apps Prevention of jailbroken or rooted devices from accessing corporate network Secure container provides protection against malware threats Secure access from mobile device to PHI on corporate intranet and other network resources through Good s secure browser and network operations center Development of Secure Mobile Applications Because healthcare organizations are increasingly pressed for greater mobile security, many progressive IT departments are taking matters into their own hands developing their own healthcare mobile apps to ensure compliance. Good Technology has expanded its solutions to provide a complete mobile enterprise application development platform. For years now, Good for Enterprise a mobile application powering secure , contacts, calendar, and intranet access has been the industry standard for mobile security in healthcare. Now, Good Dynamics, a secure mobile application development platform for ios, extends that standard to allow corporations, independent software vendors, systems integrators, and in-house mobile application developers to build and deploy secure, containerized mobile applications in a cost-effective manner across multiple device platforms. Unlike other mobile enterprise application platforms, Good Dynamics is a ready-to-use security architecture that developers can utilize immediately to add dynamic security enhancements to their apps without slowing development time. Among the features that are available: Secure Container. Good Technology goes far beyond device-level security and allows data to be encrypted at the application level. Plus, it keeps all corporate information completely separate from a user s personal data. App-level security policies. You can define and enforce application level policies, such as strong application authentication, so that users are required to enter strong passwords before they can launch the application. You can enable remote wipe of application data or the entire device after a failed number of incorrect passwords, disable sequential numbers in passwords, or require special characters. You can even prevent applications from running on jailbroken/rooted devices.

6 Securing Patient Data in Today s Mobilized Healthcare Industry BE-GOOD good.com 6 Strong encryption. Because Good solutions encrypt application data with strong AES 192-bit encryption whether data is stored on the device or in transit between a device and servers behind your firewall all information is secured throughout a complete end-to-end security system. Securing Network Access. Before transmitting data, Good allows applications to establish an outbound connection to the enterprise firewall, so there s no need to open inbound ports and expose the network. The NOC only services encrypted packets, so it authenticates devices and grants access solely to those provisioned to specific servers and services preventing rogue attacks. Securing the Platform. Strong controls that include full device wipe; app black-listing; prevention of app installation; detection of jail-broken phones; disablement of transfers and LAN access through Bluetooth; or prevention of access to the App Store, YouTube, and the Safari browser, if necessary. Speeding Deployment of Safer Apps for Healthcare Fortunately, mobile app developers can secure their applications without having to invest in and build out their own infrastructure for security. The Good Dynamics platform brings the tools, infrastructure, and APIs that ensure developers meet the highest standards of security in applications across all devices and operating systems. By utilizing proven security libraries such as encryption, app-level controls, and web-based monitoring tools, developers can use the Good Dynamics platform to dramatically speed the delivery of their application development projects to include industry-leading levels of protection and compliance. Good Dynamics offers a unique security approach for the healthcare industry. By providing protection beyond the device level, developers can rapidly incorporate technology that containerizes data within mobile applications wrapping a layer of protection around field-deployed apps to ensure patient privacy. Good works with third party application vendors as well, such as MEAP (mobile enterprise application platform) vendors. The combination of Good and these specialists powers companies to build apps that give clinicians access to patient records on the network from their mobile devices. Summary More than ever, clinicians are using mobile devices to practice medicine anywhere, anytime. Good Technology puts secure data at the fingertips of today s healthcare professionals without risk or compromise. With Good solutions, physicians, nurses and healthcare professionals can respond quickly in urgent situations, collaborate with peers, and securely access and update patient records. IT professionals can get started with a trial version of Good for Enterprise, and a free Good Dynamics SDK with additional resources by visiting Good.com or by calling BE-GOOD.