It’s So Easy to Infiltrate
If endpoint security – especially for smartphones – wasn’t a top-of-mind issue for healthcare IT leaders before, it certainly is now. I’ve spoken with numerous customers who struggle with it and are asking for guidance.
At HIMSS this year I attended the CHIME CIO Forum which included a presentation by Kevin Mitnick, a former black hat hacker. He went to prison for cybersecurity crimes several years ago and now runs a cybersecurity consulting firm that boasts a 100% success rate in penetrating his clients’ networks. The main way he is able to infiltrate his clients’ networks is through what is called “social engineering.” The audience was amazed at how easily he was able to get people to give up information that allowed him to penetrate electronic security layers and access any information he wanted.
Healthcare Is Low-Hanging Fruit for Hackers
Healthcare tends to lag some other industries (such as financial services and manufacturing) in terms of regulatory requirements affecting technology, IT security investment, sophistication of policies, and use of available tools for enforcing policies. At the same time, people’s health information can be worth thousands of times more than their financial information, according to one 2017 Forbes article.
The consequences of a major breach can represent an existential threat to a health care provider’s business. I witnessed this personally several years ago when my local health clinic was broken into and all of their PCs were stolen. Unfortunately, those PCs contained the private medical records of over 100,000 patients in the care network they were part of. After the media frenzy, the care network lost nearly half its customers and was purchased for pennies on the dollar less than six months later.
The Most Important Layer of Protection
Countless articles have been published representing a wide variety of perspectives on effective ways to manage smartphones in healthcare facilities. Their focus is almost exclusively on IT policies and tools to enforce those policies. While policies are important, more can be done.
I’ve attended some panel discussions on the subject of smartphones in healthcare that included experts in genomics, big data, provider and payer IT, and cybersecurity. I’ve come away with clarity on a few points:
- There is no panacea. No single tool or policy is going to secure your environment.
- It’s impossible to make your environment 100% secure. A really determined hacker is going to find a way in.
- The most important layer of protection is often the most overlooked – your people!
Questions to Ask Before Creating a BYOD Program
Before you start to think about solutions for securing your smartphone environment, you need to ask some important questions:
- Does everyone in your facility need to use a smartphone on your network?
- What types of smartphones will you allow?
- To what extent will smartphones be allowed to access certain parts of your data and infrastructure?
- How will you ensure infection control with BYOD smartphones?
- Will smartphones and their consumer-grade accessories tolerate your infection control protocols?
- How will you maintain data security?
- To what extent can you actually implement and enforce the policies you want to have?
- Will your BYOD program have sufficient flexibility to address up-and-coming trends in mobility?
Seven Tips for a Secure BYOD Program
I’ve compiled recommendations for a secure BYOD program, in priority order:
1. Communicate, communicate again, and when you think you’ve done enough, communicate more.
Make sure your workers understand your policies, procedures, and tools with respect to BYOD smartphones and security. Verbal and written communication are equally important.
2. Reduce risk by educating users.
Education and awareness are the best defenses around! To paraphrase Bridget Duffy M.D., Chief Medical Officer at Vocera, “There are no HIPAA-compliant devices or processes. There are only HIPAA-compliant people.” One of the best ways you can improve cybersecurity is to build awareness with your users about why behaviors they see as perfectly normal can pose a risk to the facility. It’s doubtful that your workers have malicious intentions, so if you educate them and make them aware of the risks to which they expose the facility through what they consider normal everyday behaviors, you have tackled a large part of the problem.
3. Make policies clear and impossible for workers to ignore.
Key elements to include in a BYOD policy:
- Administrators have the right to remotely wipe the device and destroy all data, at any time, for any reason.
- End users must report the loss or theft of a device as soon as possible so it can be wiped remotely.
- Administrators have the right to seize an employee’s device used on the organization’s network at any time and for any reason.
- The organization has immunity to legal action by a user if the organization sees the user’s private information in the course of a security assessment or other investigation involving his or her device.
- Maintain liability insurance that covers smartphone misuse, abuse, and hacking.
Your workers might find the policy elements regarding device seizure and legal protection a little harsh, but stringent policy elements like these are the bedrock of a good endpoint security strategy. Post your organization’s BYOD policy anywhere and everywhere. Periodically remind users of it and have managers remind their teams periodically during staff meetings. Consider including BYOD policy as an element of HIPAA training to which workers must agree. Make sure every worker is acutely aware of your policies.
4. Require biometric authentication via fingerprint.
Every iPhone since the iPhone 5s launch in late 2013 allows users to log into the phone through a fingerprint scan on the home screen button, and the new iPhone X does it with facial recognition. The feature is now available on many Android phones as well.
Although fingerprint authorization might not prevent passive intrusion through a device into the organization’s network, it may help prevent unauthorized use of a device while it’s on the company network. It can also prevent someone in possession of a lost or stolen device from accessing your network during the interval before the device is reported missing and remotely wiped.
You can also set up your IT infrastructure to only allow smartphones with fingerprint identification onto the network. This would likely require a mobile device management (MDM) solution if you don’t already have a solution in place that can accommodate fingerprint identification. Give users advance warning of the new requirement so they can plan to upgrade from phones that lack fingerprint readers.
5. Standardize on secure applications.
No matter what policies you establish, your workers are going to use smartphones to call and text each other. Those communications are going to include personal health information (PHI).
In her 2017 CNO Report, The Visionary CNO – It’s More Than a Mobile Strategy, It’s a Change to Clinical Practice, Vocera CNO Rhonda Collins explains how the aim of mobile strategy is to standardize behavior; and to standardize behavior, a healthcare organization standardizes software.
When you standardize software, make it secure software. At Vocera, we’re proud to call the security of our solutions “defense-grade.” The security credentials we’ve earned from the U.S. Army, Department of Defense, and American Institute of Certified Public Accountants are unsurpassed.
The Vocera Collaboration Suite app integrates voice and secure texting, and provides secure and auditable delivery and response reporting for alerts and texts. We received a favorable SOC 2 Type II report for our secure texting application. All Vocera solutions are validated by a third party.
6. Allow single sign-on.
Enabling users to authenticate to individual applications simply by unlocking their smartphones will make their lives simpler and easier. Although some MDM solutions enable this capability, before you go this route take a look at whether you can allow single sign-on via the Active Directory you may already have.
7. Blacklist containers and personally-owned applications.
If you have an MDM solution or enterprise mobility management (EMM) solution, you may be able to prevent certain smartphone apps from using your network.
Similarly, putting your professional environment or selected applications in what’s called a “container” may secure them, but it places a noticeable performance burden on the smartphone and can require end users to swap between their personal and professional environments.
If you blacklist containers and personal applications, expect significant pushback from end users, especially physicians. Your end users will want to be able to mix their personal and professional lives on their smartphones.
Conclusion
Kevin Mitnick was clear with the CHIME audience about what your goal should be when it comes to end-user and endpoint security. The goal is not to be 100% secure because it’s not achievable. The goal is to be sufficiently secure that hackers will go after less secure companies.
Mitnick’s guidance reminds me of the story of two people in the woods who encounter an angry bear. They both start running and one says to the other, “You think you can outrun a bear?” and the other says back, “I don’t need to outrun the bear, I just need to outrun you!”
In other words, don’t be the low-hanging fruit and you won’t get eaten.
