The Challenge of Securing Health Data in a Mobile-First Society

Posted by Roxane Suau on February 16, 2018

Mobility keeps growing in the healthcare industry and professionals increasingly receive, store, manipulate and transmit patients clinical information using mobile devices.

Each smartphone, tablet, and application is an access-point to hospitals, laboratories, etc. systems information, weakening the safety of sensitive data it manipulates.

health-data-protection-mobile.png

 

“By 2022, some 97% of nurses and 98% of doctors in hospitals will be using mobile healthcare technologies to treat patients“The Future of Healthcare: 2022 Hospital Vision Study 

It goes without saying that this evolution is significantly improving the way care is delivered, but it also brings new challenges to IT Security teams. Successfully securing these new entry points is crucial to protect patients' data privacy.

 

Mobile devices, still a neglected threat 

Currently, 81% of healthcare organizations are storing patients data on mobile devices but conversely, only 46% of them have a security strategy to regulate their use (Source: CDW Healthcare). The big gap between these figures has been illustrated in the news with stories of cyber attacks popping more often than ever and it highlights the fact that mobile device security is too often neglected.

An unmanaged device is endangering the privacy of the critical medical data it manipulates, exposing them to plenty of threats coming from three vectors:

  • Applications: Malwares, leaky behaviors…
  • Network: Man-In-The-Middle attack, risky connection, malicious proxies, sessions hijacking…
  • Operating System: vulnerabilities exploitation, root / jailbreak…

However, managing and securing mobile devices, users and data is a time-consuming task, especially when medical institutions have to handle hundreds and sometimes thousands of devices (corporate and BYOD). The best option remains to automate it by deploying a EMM + MTD solution.

Enterprise Mobility Management solutions such as AirWatch VMwareMobileIron or IBM MaaS360 consolidate the management of smartphones, tablets and IoT devices along with their data and applications, while the Mobile Threat Defense technology protects them with a 360 approach.

 

Applications privacy, an underlying risk

Health professionals using mobile applications offer interoperability and care coordination to enhance communication and workflows. Most of the time, these apps are developed by third-party providers and their security and privacy is professionals’ biggest concern.

A mobile application can jeopardize patients’ data privacy by being vulnerable to the environment it evolves in. For example, when the app will perform on a device where a malware is hosted, will it detect it? Will it protect the sensitive information it stores?

To control threats coming from the device environment, providers can embed their apps with a runtime application self-protection SDK that will ensure they’ll defeat any on-device attack.

The second potential app related threat is coming from the inside. A recent research conducted by the Pradeo Lab showed that 61% of Android apps and 36% of iOS apps are performing data leakages. Moreover, leaky applications are sending data to an average of 17 distant servers, and 1 out of 5 establishes a connection to a suspicious network. Do you know where the third-party app your collaborators use sends the information it handles? How to make sure it doesn’t perform data leakage?

Application security is a step that is often skipped during the app development life cycle, resulting in a large amount of applications available on public stores being vulnerable to attacks and/or performing unwanted behaviors. However, dedicated solutions offer to add the security layer apps are lacking.

Application security testing allows to identify and qualify any app behaviors and vulnerabilities from its executable file. Many industries have adopted this kind of solution to control the safety of applications before their collaborators and clients use them.

 

Topics: blog