By Elizabeth Snell

August 20, 2015 - As more healthcare organizations implement and use connected devices, it is essential that they have comprehensive mobile security measures in place. No covered entity wants to experience a data breach, especially one that could have been prevented through proper mobile security policies.

From a mobility perspective, there are a number of different challenges, according to Institute for Critical Infrastructure Technology (ICIT) fellow Michael McNeil. Everything is extremely connected, he said in an interview with HealthITSecurity.com, and there are many traditional areas of focus that have been affected by that change.

“What used to be a stationary or contained type of a device or tool that would be used, now has mobility attached to it,” said McNeil, who is also the global product security and services officer for Phillips Healthcare. “Because of the mobility and its interconnections, the integrity of that data and the accuracy of the information could be at risk.”

McNeil added that another tremendous focus point for healthcare organizations is ensuring that they are in alignment with the appropriate legal and regulatory efforts.

“When you look at the fact that there's clinical data, the transmission of that data, the flexibility of that data, and certain individuals could intercept or manipulate that information, that creates some of our biggest risk and or complexities that hit the dynamics of the ecosystem,” he said.

Looking at the entire healthcare infrastructure

One common mistake that McNeil sees is that healthcare organizations do not always look beyond their own contained network. However, with increased interconnectivity through options such as health information exchanges (HIE), that oversight could have consequences.

“Because organizations typically look at infrastructure of a hospital or a particular setting, traditionally they have stated, ‘Because that is contained in somebody else's network and environment, our liability and vulnerability and chances of any activities is very low,’” McNeil said. “And because it's in someone else's contained network, they sort of push the potential direction of the potential risk off into other parts of the ecosystem.”

McNeil explained that the “ecosystem” includes everyone from medical device manufacturers to healthcare providers, and even regulators.

“The better that we can align with other types of industries, and other types of standards, making sure that we are deploying solutions within this space, then we also have the ability to make sure that from a mobile perspective it’s designed with the security of their products and solutions,” he said. “That needs to be key.”

The mistake comes when mobile devices, and even connected systems themselves, are not designed with the larger picture in mind, he said. Facilities will think that a certain type of vulnerability is low, so the control is the actual network or system.

“That is more of a fallacy of the past that needs to be corrected in terms of the future,” McNeil stated.”

Moreover, organizations need to conduct appropriate risk assessments and look at the different types of interconnectivity because that raises a number of concerns as well, he added. They need to align with the appropriate regulatory standards that are coming out specifically for the definitions from a mobile perspective.

Prioritizing employee training and awareness

According to McNeil, having internal awareness campaigns and programs that are specific around the care and feeding of a mobile device and how individuals would interact with them is essential. For example, employees need to understand how information is actually captured in the device and how that interconnectivity works within the networks of hospitals or other organizations.

“I think also there's the physical attributes of how to report and maintain if something happens because of the device itself and it's ease of accessibility,” he said. “Some of those types of threats or breach capabilities, by demonstrating it in some of the education or awareness pieces, I think that is a powerful and very much real to life types of examples that can be exhibited.”

Having an external stakeholder component in the education and awareness aspect is also important, McNeil said. Training needs to be thought of from an internal and external perspective. Employees need to understand their organization’s brand and reputation, but patients, regulators and others that have an impact on a certain solution or offering need to understand how they tie into that security.

Learning from large health data breaches

When large health data breaches, such as what happened with Anthem or Premera take place, it is essential for organizations to review their metrics and effectiveness of their overall privacy or product security program, according to McNeil.

“Are you doing annual tabletop or incident management case scenarios? I think every organization should be creating that type of ‘What happens if?’ threat environment and exercising it so they understand what they need to do in the event that something could happen or in the event that there's a breach.”

McNeil added that organizations should clearly have key metrics in their security and overall program to understand where there might have been risk or activity that took place in other companies. Entities need to ask how something could affect them, and if they are tracking metrics to understand any potential risk that they need to overcome.

“Knowing the flow of that information and where it's contained, and having appropriate processes and policies around guarding and detecting it more frequently are critical areas of focus.”