This article can also be found in the Premium Editorial Download "Health IT: Strategies to secure personal mobile devices on health care networks."
Download it now to read this article plus other related content.
According to a new report by Manhattan Research, fully two-thirds of physicians in the U.S. will be using Apple iPads for professional purposes by 2013. A similar study in Europe showed that about 26% of physicians owned and used an iPad.
That brings to the forefront the issue of security of transmission and storage (even if temporary) of personal health information on these mobile devices. Privacy mandates like the Health Information Portability and Accountability Act (HIPAA) also heighten anxiety about storage and use of personal medical information.
Dive deeper into mobile device security
Experts, users share thoughts on mobile device security in health care
For health care, mobile device support means management, security
Best practices for mobile device security in health care
The ABCs of federal regulation for mobile devices in health care
Health care workers have been clamoring for some time to bring their own mobiles and tablet computers into work, expecting to access work-related applications on them. Consequently, health care IT has been setting up bring your own device (BYOD) policies considering the variety in device preferences of the workers. This way they can exercise some level of control over security and privacy of health care data.
Current trends in mobile security promise a number of different ways in which security and privacy of health data can be addressed effectively. Some of these are:
Desktop as a Service (DaaS) usage on mobiles: Recently Dell rolled out its Desktop as a Service (DaaS) offering. On mobiles and tablets, this allows desktop environments to run virtually and access applications in their native forms (like a Windows desktop or a Macintosh). This is as if a virtual desktop resides inside the mobile device. The biggest security win in this approach is that no additional security is needed. If the owner of the mobile device is no longer with the company, this access is disabled. All applications and data reside in internal servers and no data is present locally on the mobile. Companies can adopt BYOD policies easily since the applications are not on the mobile devices, which means a larger variety of devices can be supported.
Access control lists: Access control lists (ACLs), also known as role-based logins, control which users, using which mobiles can access an application. They can also have finer control over what data within that application they can access and what they can do with it (for example, read, read/write or read/write/delete). Fine-grained control using ACLs allows IT departments to tailor security policies to different types of users and enforce them diligently.
Encrypted data transmission: Virtualized desktop environments may already have 128-bit, built-in encryption of any communication, including data to and from mobiles and tablet computers. If native apps are developed for mobiles, they may need to do this when they communicate with servers.
Double encryption: When you use strong 128-bit encrypted transmission and storage of data on mobile devices, use of a Virtual Private Network (VPN) connection enables the encryption of already encrypted transmissions. This provides double encryption, a strong way of protecting data and transmissions.
Remote wipes and auto-locks: Native apps on mobiles invariably use local storage, even if only for temporary download of health care data. Mobile device storage may need to be remotely wiped clean when the device is switched off. When mobile devices are lost, misplaced or stolen, the same remote wipe capability may be needed. Most mobile devices support auto-locking the device remotely, if lost, misplaced, or stolen. When located again, they also require long pass codes to reactivate, providing one more layer of security. There are commercial mobile device management software packages that can register devices and do these remote wipes when warranted.
Mobile ID authentication mechanisms: Additional authentication mechanisms may need to be implemented with something like real mobile device identification (unique ID of a smartphone or a tablet) and a company-assigned machine ID that is assigned to say, a clinician. Only with both these IDs will the mobile device be allowed to access the network. This is an additional security precaution to authenticate physical mobile devices.
Fine-grained control using ACLs allows IT departments to tailor security policies to different types of users and enforce them diligently.
Isolated special subnets for mobiles: Mobile devices like smartphones and tablet computers may need isolated special subnets, meant only for them. By having a separate subnet, mobile device usage can be logged for audit and unauthorized access detected. Subnets can also ensure better bandwidth Quality of Service (QoS) for mobile devices. Desktops and laptops may hog a network's bandwidth if they share the same network with mobiles and tablet devices.
Signal range control: By making the wireless signal to the mobiles reachable only within the premises of the health care setting -- such as within a hospital or clinic -- or only at home through VPN, security and privacy can be enforced by restricting where applications are accessed from. This may not work very well if employees need to travel on business, but for health care applications that don't involve travel, this will work well.
Increasing use of mobile devices in health care settings brings with it many security problems. Depending upon how the applications are accessed, through a virtual desktop or as native apps, those problems will vary. However, trends in mobile device security promise many methods to address these issues. By matching the needs of a particular health care setting to these tools and techniques, security and privacy can be effectively ensured. A number of commercially available mobile management software solutions can help health care IT pros create and administer these policies.
Nari Kannan is currently the Chief Executive Officer of appsparq Inc., a Louisville, Kentucky-based mobile applications consulting company. Nari has over 20 years of experience in information technology. He can be reached at firstname.lastname@example.org. You can also contact @SearchHealthIT on Twitter.
This was first published in June 2012