5 tips for securing your hospital's tablets
With fingerprint identification for users finally getting some traction in healthcare--Children's Clinics for Rehabilitative Services, Tuscon, Ariz., just announced it has added the capability to its in-hospital PCs, for example--hospital CIOs should see some tantalizing security possibilities for the flood of tablets inundating their hospitals.
Experts tell FierceMobileHealthcare that biometrics certainly are the gold standard in security for mobile devices in healthcare, removing the need for complicated logins and passwords that physicians often forget. But for now, the capability seems a bit far off for tablets.
That's a problem for CIOs trying desperately to secure the rising tide of tablets, which may be the fastest-growing segment of the mHealth market, but also the least secure. I recently talked with security expert Kerry Shackelford, managing director of security audit and compliance firm Coalfire Systems Inc., about how to harden such devices to ensure HIPAA compliance.
Some of Shackelford's suggestions include:
"Fingerprint" the tablets themselves. Device fingerprinting is a function that runs through a hospital network and identifies each specific device that logs on. According to the users' job or role, the fingerprinting system can put boundaries around what that user is allowed to access on the network, according to a report in InformationWeek.
"The technology can fingerprint a physician-owned device, a hospital-owned device, a patient-owned device or even wireless medical equipment, and segment them on your network," Clay Bozard, security firm Advance2000 Inc.'s medical division president, told Jennifer Dennard, a blogger with health IT research company Porter Research. "The physician devices may only have access to virtual desktops that are managed by the hospital. This design would address both the network security concern and the device management concern."
Resist allowing resident data on tablets. Web-access is simply far less risky than downloading apps and/or data to the devices, Shackelford says. "If it's coming through the browser on that device...if patient data is only in there while you're browsing, there's much less risk," he says.
Just be sure you've turned off web cacheing on your hospital-owned devices, or that you require clinicians to turn it off on their personal devices, he recommends. You don't want the tablets capturing or storing cached images of what the browser displays as the clinician is using the device.
If you do allow data downloads to your tablets, login and password procedures can help, but it's crucial to do a whole-disk encryption, Shackelford says.
"[Tablets are] just so much more likely to be lost than a PC or even a laptop," Shackelford adds. "Forty percent or more of [recent security] breaches were lost laptops. The risk is high, so trying to justify not encrypting the data shouldn't pass a risk assessment," he says.
The good news: Under HIPAA, if the entire device is encrypted, even if the device is lost, it's not considered a breach, he adds.
Set up a standard configuration and prohibit certain functions. Malware and hackers both often use the software associated with games, cameras, voice-activated dialing, and other non-job-related functions to get onto a mobile device, Shackelford explains. The best solution is to turn those functions off, or remove them from the device.
"If it's irrelevant to the [physician's job], then just get rid of it. If someone were trying to find a way to get in, they could hack the voice dialing software and replace it with a program of their own that does something completely different," he warns.
It may not be popular with physicians who want to use their own devices--and keep those functions for personal use--but from a security standpoint it's a must. CIOs should feel well within their rights to require a standard level of security for any device that connects to the hospital network, he says.
Set requirements for anti-virus software. On hospital-owned devices, this is relatively simple, with the CIO controlling enterprise-wide updates or upgrades to anti-virus software. If clinicians' are using personal devices, Shackelford recommends that CIOs 1) require users to install a standard anti-virus program and keep it updated, and 2) perform regular audits of the tablets' anti-virus status. There are a number of products that allow IT managers to determine which devices used on your network haven't been updated.
"We do audits and look at whether anti-virus is installed on all devices. They can show what date the last upgrade was done, and when the last scan was done," he says.
Check the "remote wipe" capability. There is a Department of Defense standard for secure wiping, to ensure the data is completely removed from the device. It's likely your vendor meets the standard, but it's a question worth asking, to ensure the data isn't still hanging around after it's wiped.
Also check that the wiping function can provide a confirmation when the data is successfully removed, recommend experts with security firm Sensei, in an intriguing white paper earlier this year. - Sara