Reducing Risks with Mobile Devices in Healthcare

From malware to information theft to interruption services, there are a range of serious threats facing the ever-increasing wireless communication in the healthcare environment. While there are serious risks associated with mobile devices (smartphones, tablets, Medical Devices (MDs), and more) in healthcare, there are also incredible benefits. It’s not really an option to lock-down wireless in the healthcare environment. Mobility can play an active role helping improve patient treatment, reducing costs (and needless repetitive paperwork), and increase service efficiency, so the real challenge is how to mitigate risks associated with mobile devices.

The Department of Homeland Security offers some helpful pointers for facilities taking steps to the reduce risks of mobile communication devices. Some of these suggestions are simply good IT habits that should play a consistent role in infrastructure planning and development. In spite of the common sense approach to assuring a secure environment, many organizations continue to neglect these essentials.

1. Policy and procedures – There’s no substitute for governance based on established policies and procedures. Facilities must take the time to develop an overall strategy that includes consideration for all the known devices and potential devices. The DHS emphasizes the importance of considering how MDs connect to the network (or if they connect to a segmented network) as well as how information is accessed and protected. Policies should take into consideration the following:

  • All devices must be recognized, and no device should have unsecured access to networked resources. Devices should include but are not limited to MDs, laptops, tablets, USB devices, PDAs, and smartphones.
  • Network configurations should regularly be maintained, reviewed and audited.
  • Policies should make provision for tiered access to network resources based on device and accounts.
  • Password policies must be developed and enforced.
  • Policies must address regular maintenance that includes legal patches and software updates.

2. Infrastructure maintenance – Facilities should maintain external facing firewalls, network monitoring techniques, intrusion detection techniques, and internal network segmentation (for containing the medical devices).

3. Access control lists (ACL) should be configured on network segments so that only positively authorized accounts have access.

4. Communications channels must be secured using encryption and authentication at channel end-points.

5. Vendors should agree to provide ongoing firmware, patch, and antivirus updates.

6. Medical devices (MDs) must include thorough documentation and fine-grained security features that Medical IT network engineers can configure safely on the networks.