alphaspirit - Fotolia
An expert offers strategies for securing mobile devices in healthcare settings, including restricting BYOD, personalized training for physicians and ransomware protection tools.
In today's healthcare settings, it's not unusual for physicians and other clinicians to carry and use their own mobile devices.
But the popular bring your own device ethos is not always the most prudent approach because of high security risks that smartphones and tablets can often present, according to mobile health security expert Ellen Derrico.
Derrico, senior director, healthcare, for cybersecurity firm RES Software, says in this podcast that some healthcare organizations are eliminating or restricting BYOD because of growing threats to mobile security in healthcare from ransomware and other attacks.
"Mobile devices are extremely vulnerable to these attacks," Derrico says in the podcast.
If an organization opts to stick with BYOD, it should at the least update mobile apps and security software frequently and consider restricting mobile access privileges to on premises only to toughen mobile health security.
"There needs to be a stringent plan in place," she says. "BYOD is what keeps most CISOs up at night."
One way to win physician buy-in to mobile health security policies and procedures that clinicians often perceive as onerous is to devise personalized training and use gamification techniques to make it fun, Derrico says.
Derrico relates a story from University Medical Center (UMC) in Lubbock, Texas, where health IT managers trained physicians in mobile health security during night and weekend sessions.
UMC also set up a "phish market" challenge in the hospital in which physicians competed to see who could be caught less in mock phishing attacks on their devices.
"It's made it kind of fun for them," she says.
It's also about "protecting users from themselves," Derrico adds.
As for the technology aspect of mobile health security, Derrico offers several ideas. They include whitelisting and blacklisting so that only approved executable files can be run or known malicious executable files can't, and "read only blanketing" that blocks malware from writing.
CIOs most concerned about compliance and security
Top cybersecurity vulnerabilities include insider threats