DOC RABE Media - Fotolia
When Care New England, one of Rhode Island's largest healthcare systems, installed a patient-rounds app on the smartphones physicians use to link to ambulatory clinic EHRs, it was only after a month of rigorous in-house testing of the app's security.
Concerns about the lack of security in healthcare apps -- which are multiplying as rapidly as the mobile devices that host them -- is only one of the problems vexing healthcare CISOs and CIOs as they confront the mass movement toward mobility.
Chris Logan, CISO of Care New England, said he worries constantly about potential breaches of the healthcare system's network, connected medical devices and mobile platforms, though he hasn't seen a loss or theft of protected health information (PHI) from a smartphone or tablet.
"But I guarantee you it's going to happen," Logan said. "It's not a matter of if it's going to happen, but when."
In addition to app security testing, Care New England has set up an internal "app store," from which about a dozen security-vetted apps are available to doctors, clinicians and other staff.
Report critiques mobile security
As it happens, Care New England's preventive measures are key recommendations in a February 2015 report on The State of Mobile Application Insecurity by the Ponemon Institute, an independent privacy think tank. The study was sponsored by IBM, which sells an array of data security systems into healthcare and other industries.
The report, which relied heavily on respondents in healthcare among the 640 people surveyed, came up with these main findings:
- The "rush to release" results in mobile apps that can contain vulnerabilities.
- Mobile apps are rarely tested in production, and if they are tested, it is only in development or post-development.
- The number of malware-infected mobile apps and devices is increasing, and few organizations are able to prevent their use.
- Not enough money is spent on security as part of mobile app development.
- There is a widespread lack of security professionals in enterprises.
- Most employees are heavy users of apps, but they don't have policies that govern this use.
The Ponemon report and other recent studies have looked at issues facing mobile security in healthcare and have noted the historic evolution from desktop computers to laptops and now to a massive influx of handheld mobile devices, in the work world and among consumers.
"It's kind of like a runaway freight train," said Larry Ponemon, founder and CEO of the institute. "And the attitude in the healthcare industry is sort of go with the flow and pray your security is adequate."
By comparison, as cyberattacks on corporations and healthcare systems have mushroomed over the last year or two, organizations have quickly ramped up security efforts to combat that problem, adopting such strategies as virtualization, encryption and multi-factor authentication.
Mac McMillan, co-founder and CEO of Austin-based consulting firm CynergisTek, said mobile security in healthcare is still in its infancy. At the same time, he said, the soaring popularity of wearable health technology devices for consumers, such as fitness trackers, as well as more sophisticated medical wearables, compounds the security challenge.
"It's still very much chaotic," McMillan said. "But the momentum behind it is tremendous."
McMillan advocates mobile device management (MDM) strategies for providers coupled with rigorous employee training and technologies such as "containerization," in which provider organization apps and network access are locked up in encrypted icons on mobile screens.
Journal article questions privacy of app data
Three eminent physician-researchers -- Stephen Steinhubl, M.D., Evan Muse, M.D., and Eric Topol, M.D., author of the influential book about patient-directed healthcare, The Patient Will See You Now -- have issued a similar stern warning about the security, privacy and safety risks accompanying the sudden explosion of mobile technology in healthcare.
In an April 15 article in Science Translational Medicine, a publication of the American Association for the Advancement of Science, Steinhubl, Muse and Topol note that the Federal Trade Commission recently tested 12 mobile fitness apps and found that the apps sent consumer data to 76 different third-party companies.
Larry Ponemonfounder and CEO, Ponemon Institute
The data included phones' unique device identifiers and personal information about owners' running routes and eating and sleeping patterns. Perhaps more worrisome, the authors reported, a 2014 analysis by the Privacy Rights Clearinghouse found that nearly half of the 43 apps in the study collected high-risk financial information and personal health and identifying information. More than half of the apps shared the data with third-party analytical services.
Technology limits user interaction with corporate data
In the absence of such governmental oversight -- and to control the bring your own device (BYOD) culture that pervades healthcare and is likely to persist indefinitely -- many providers turn to tech giants such as IBM and Dell to provide mobile security. Both companies have gone into the security business in recent years by acquiring smaller security companies.
Smaller independent security vendors such as Bottomline Technologies are also seeing brisk business. Bottomline recently signed a multi-year deal with Cedars-Sinai Medical Center in Los Angeles to run the Portsmouth, N.H., company's Healthcare Data Security and Privacy system to track users' behavior on the hospital network using analytics, forensics and real-time monitoring.
Fiberlink Communications, an IBM subsidiary, has had success with its cloud-based, MaaS360 line, an MDM containerization system for small and medium-sized enterprises.
For a subscription fee, customers, including healthcare providers, get encrypted container icons, each with its own unique PIN, installed on their employees' tablets and smartphones. Updates are delivered automatically by way of the cloud.
Employees can still use their own apps, but they are walled off securely from the container, said Chuck Brown, director of product management for Fiberlink. In the opposite strategy, organizations handle their own mobile security by giving users secured, corporate-owned devices on which employees can only use approved apps.
"The data is protected inside the container. This plays well into a BYOD situation," Brown said. "Some people don't like 'Big Brother' looking over their shoulder."
One Dell user, Green Clinic, a 50-physician practice in northern Louisiana, uses Dell SecureWorks' cloud-based systems to secure its doctors' iPhones and iPads.
Meanwhile, the clinic's mobile users are walled off from the practice's EHR from Greenway Health LLC, so they can't touch PHI on the EHR. Instead, they communicate through Dell SecureWorks' PocketCloud, which puts a mini version of the EHR on their mobile devices, then wipes it clean when the doctors log off.
"We're pretty strict about not leaving PHI on our devices," said Jason Thomas, Green Clinic's CIO and security director.
Tips for securing sensitive patient information
Cloud services, wearable tech part of healthcare's future
Health IT experts in favor of mobility, telehealth