And the hits just keep on coming! We've tackled the topic of mobile security before, but the strategies for securing mobile devices continue to evolve. So I tracked down the latest emerging security tips from IT sources like CIO Magazine and InformationWeek.
Possibly the most important security task on your plate right now, though, isn't hardware, or even software-related. It's education for your physicians and other users, to ensure they're implementing all of the security protocols you've created.
Yes, it's tough to get physicians to attend even mandatory in-services. But it's a critical need. A recent survey by Heathcare Info Security shows that 70 percent of hospitals have mobile security policies in place, but physicians often are the last to know about (or acknowledge) those protocols. Don't believe it? The same survey found that educating physicians and others about security procedures is the No. 2 priority among respondents (54 percent), just behind complying with federal security regulations.
As far as securing the mobile devices themselves, there are a few new ideas percolating in the IT security arena. Chief among those is getting a true count on the devices pinging your network. Don't assume that your existing registry is correct. Miami Children's Hospital recently found that it's count of 3,000 devices accessing its network was actually only half-right. The real number, discovered by a specialized mobile device identification software, was 5,600, according to an InformationWeek Healthcare commentary.
Another emerging mobile security strategy is creating software specifically designed for a bring-your-own-device (BYOD) environment. Healthcare Info Security's survey found that 59 percent of healthcare organizations allow workers to user personal devices on the job, with more jumping on that bandwagon daily. New programs are coming on the market specifically to manage multi-platform, non-standard devices.
With regard to mobile devices used for heftier, riskier tasks like e-prescribing or inputting information into a patient's record, you may want to create a standard device model for those users. That means creating a central image for the machine, issuing security certificates and installing all the clinical and security apps yourself. Consider some stronger security measures for these devices, like blacklist enforcement, anti-SMS phishing and integrity checks, according to SearchHealthIT.com contributor Lisa Phifer.
There is an interesting new middle ground emerging in the company-owned vs. BYOD battle, as well--the "company-approved" device. It can be personally owned, but still managed by your organization.
"Employee buys a device that has been approved by the organization. The employee gives up administrative control and the organization manages security of the device," Jon Heimerl, strategic security director for Solutionary told CIO blogger Curt Finch.
Another option is to create different networks for use by different devices. St. Joseph's Health System, with hospitals in California and Texas, has a "guest network" for patients, families and visitors (clinical and otherwise). They can access basic information, the Internet, and health system websites, but no clinical data.
But even that access isn't hassle-free. "We do require all personal device users accessing the guest network to accept our terms and conditions of use which includes a release of liability," Bill Lazarus, the health system's technology VP, told InformationWeek Healthcare.
Finally, be careful in the melee to lock down smartphones and tablets that you don't forget about a key mobile technology that needs attention: Remote patient monitoring devices. Recent hacks from individuals, and even a research group at the University of Massachusetts, have shown the devices to be vulnerable to information being stolen, inadvertently sent to the wrong physician, and other problems. User authentication, breach notification and other controls should be installed on these devices just as they are on phones and tablets. - Sara
Editor's Note: Join me Tuesday, Dec. 6 at 8 a.m., at the mHealth Summit in Washington, D.C., as I moderate the FierceMobileHealthcare Executive Breakfast: Powering the Care Models of Tomorrow -- mHealth's Pivotal Role in Care Coordination & Accountable Care. Our speakers include Aman Bhandari of the Department of Health & Human Services; Steven Dean of Inova Health System; the West Wireless Health Institute's Mohit Kaushal, MD; Wendy J. Nilsen, PhD, with the National Institutes of Health; and Wil Yu, from the Office of the National Coordinator for Health IT. We'll be discussing mobile connectivity and how it's revolutionizing coordination of care (and quite possibly the evolution of ACOs). See you there!