Mobile Health Platform Vulnerabilities? Still?
After everything, after all of those attacks, and news outlets about data breaches. All the doodads about the need to strengthen organizational security and training users to be more educated and aware about attack vectors on computers and what not, the ball was still dropped when it came to mobile healthcare platforms, be it an app or just the portal that is connected to the cloud-based EHR. There is no denying that electronic prescribing is a real advance over illegible handwritten prescriptions. EHRs that would be easy, even fun to use can be designed. Doctors are not adverse to technology. Their noses are as buried in their iPhones as much as anyone’s. I don’t even think it would be very hard to design a “fun” EHR. Unfortunately, there are powerful forces that would resist such a design.
In the above article, Gary Sheehan, the CSO of Technology and Security Services provider ASMGi, explained that most healthcare organizations tried to keep data safe by instituting restrictive use policies. However, now that healthcare is finally taking plunge in updating their technological prowess there has been a shift from old age and legacy technologies straight into more cloud based computing and with it comes mobile healthcare opportunities and Bring-Your-Own-Device policies. All throughout IT, BYOD policies are recognized as difficult monsters to implement and even more difficult to enforce because sometimes the users and employees don’t want to go through the bureaucratic oversight and hassle for their own smart devices. However, that is one of the biggest factors in healthcare data breaches, accidental loss of items that ended up being vulnerable. In most places, BYOD policies require a strong password and encryption at the very least, however people try to get away from doing those because of the extra second lost from their life typing in a password. Hospitals and healthcare providers are now embracing innovation and as a result, there needs to be an emphasis on secured and encrypted environments on cloud and mobile platforms.
To all organizations that develop mobile platforms and applications:
Now, the blame doesn’t just fall on user and employee ignorance and negligence but the problem can fall on the organizations just as much now. It’s important that the coding is secure, that the proper protocols are used, and that some consideration is actually done not only with the UI and UX, but also with the overall implementation and security of an application or portal. The more care put into securing a healthcare environment, surprisingly it’ll become more compliant as well! Especially with smaller mobile devices, the key isn’t to fit as much information onto the screen, instead forego maximizing screen estate and build a system that allows healthcare clinicians and providers to continue doing exactly what THEY need to do, to do that, put the tools in place for them to do it right without a hassle. Seems simple enough right? I want to bring back a concept that I mentioned far back in the days, about the balance between security and availability. You can throw as many layers and rules of security onto mobile devices, secure cloud services and require multiple forms of authentication, and use some obscure new protocol that lacks any efficiency and optimization and end up with the most secure platform in the world. But there is a reason why something like that doesn’t really exist in most commercial cases cause there would not be any form of accessible availability to it without an endless amount of hassle, mumbling, and grunting. The real difficulty is how to make sure mobile platforms are secure, both on the device and within the cloud but also easy to use. The availability and ease of use is critical, if it’s not simple or convenient, people simply will not use it or they will look to find an easier and faster path… often at the expense of security and privacy. Because of the severity and gravity of mobile health security, there was even a NIST (National Institute of Standards and Technology) use case that was developed on mobile devices in healthcare.
For the most part hacks and other acts of thievery get the attention, but in the end the largest avoidable healthcare data breach is carelessness. Sure criminal attacks are the largest portion, and in fact according to the latest Ponemon report, 89% of all healthcare organizations have been breached, half to criminal attacks and half to human error. Vice President of Consumer Protection at Experian, Michael Bruemmer states that 80% of their incidents in data breaches were due to employee negligence, such as compromised credentials, lost media, changed firewall options, lost devices, and of them all, the biggest cause was loss of mobile devices. Experian’s 2015 Second Annual Data Breach Industry Forecast also reported that, “employees and negligence are the leading cause of security incidents but remain the least reported issue.” Unfortunate as it sounds, the day the medical industry decided to go digital was also the day we lost all forms of secure privacy. There needs to be mandated security and encryption standards, interoperability between systems and most importantly, actually lead to a more conducive workflow and ease of use in providing quality care.
Most of it are mobile devices and hardware that are lost or stolen that was never encrypted, or devices with no password protection with protected health information (PHI) emailed or opened up on the internet or opened from a PDF. It’s a shame that in healthcare organization, security programs are basically beaten down into a single staff person that develops a poorly funded and implemented immature model. Now, criminal attacks I can let slide since it was the entire organization’s negligence, but avoidable events like personal mobile devices are just shamed… sigh… *smh*. Especially as applications and portals are being developed to allow for patient-physician messaging, there needs to be a push to emphasize security and encryption, but there also have to be compromises to ensure that the necessary data can be available as well.
In fact, while I was working as a Cerner scribe, I had the opportunity to be on the transition team using mobile devices, such as iPads to carry with us to help take work on the patient note on the go. Although the EHR itself was secure, requiring a login after a predetermined amount of a time as well as transmitting information through relatively safe protocols (HTTPS) the supplementary applications however were piss poor designed. Although I didn’t have to use the applications themselves, the providers would have the opportunity to use an application to help with a calculation or with a specific task that would then connect with Cerner’s database system to compile the information. The problem was that I found that these portals and applications were running through HTTP, when exiting the app the user and patient information was not cleared, among a variety of other problems. I wish I had been able to take the iPad home and run a wireshark trace on it within my own network so I could have checked if information was encrypted and what protocols those were traveling through, I wish I could have taken more time to check if authentication, confidentiality, and integrity were maintained throughout the data exchange.
I gotta give them some slack though, just in the United States, there are more than 45 different sets of inconsistent data breach regulations and frameworks. There is no “standardized” privacy and security regulation, and it’s even more difficult when some of them are conflicting. Given these inconsistencies, it’s important that everything done is clearly documented. document everything. Plus, it’s also important for education, training and awareness programs for all staff. Another thing to consider is the principle of least privilege, limit the amount of information that can be accessed, as a result it’s a “minimum necessary” policy. In most healthcare organizations, leading executives have said that their incident response process has inadequate funding and resources, and one-third of those that responded don’t have an incident response process in place. Maybe it’s because of the lack of documentation, these organizations have a disorganized or even no organization when it comes to security. Healthcare has to understand that technology advancements will not wait and slow down just for them, proactivity and securing its resources have to be done to ensure the confidentiality, integrity, and availability of protected health information, regardless if it’s a desktop or a mobile platform.