Health care practitioners are walking around with a gold mine of data on their smartphones and tablets. Mobile devices, whether physically cracked or malware hacked, sit as the greatest inside accomplice since Bonnie helped Clyde.
Cybercriminals are targeting the health care industry at an increasingly alarming rate. Even with increased mobile security, the number of attacks targeting personal health information (PHI) has increased 125 percent since 2010, according to a recent Ponemon Institute study.
What else makes health care information so valuable for cybercriminals? Basically, electronic health records yield the most intimate personal information on individuals, which criminals then flip for their own gain. For example:
- 59 percent of the stolen information is used to acquire treatment and services.
- 56 percent is used to obtain pharmaceuticals or medical equipment.
- 52 percent is used to fraudulently receive benefits like Medicare and Medicaid.
When an individual’s health care data is combined with other personally identifiable information (PII), they can be packaged into full identity kits, which are sold for around $1,000 on the Dark Web.
For health care organizations, these breaches aren’t just significant hits to consumer trust; there are serious financial ramifications to the tune of $363 per stolen record on average. It’s a steep fine that makes the penalties in other industries seem like a light slap on the wrist. Individually, each infraction is far from crippling to an organization, but data is very rarely exfiltrated just one record at a time.
Mobile Raises the Odds of Health Care Data Breaches
Mobile devices have made a significant, beneficial impact on the health care industry. They have provided doctors, nurse practitioners and other health care employees with important information at their fingertips. In an industry where accessing the correct and actionable information quickly can be a matter of life and death, the instant access to data is an undeniable advantage.
While tablets and smartphones are a definitive boon to saving lives, the consumerization of IT with bring-your-own-device (BYOD) at the forefront left IT and security teams scrambling to ensure every data transmission was safe and compliant with HIPAA and other regulations.
While hacking and malware present clear and present dangers, mobile is also open to losing PHI through general misuse, devices being left behind or someone in an admin function sharing patient data on public-facing apps. Infinite ease of access to information for the right people also opens infinite possibilities for the wrong people to see this protected information.
Thankfully, this mobile threat escalation and the need for mobile security hasn’t gone completely unnoticed. About 81 percent of health care executives in KPMG’s “2015 Healthcare Cybersecurity Survey” revealed that their organizations have been compromised by a cyberattack in the past two years, with 13 percent claiming they’re targeted by external hacks once a day and 12 percent professing two or more attacks a week.
NIST and NCCoE Give Prescription for Health Care Mobile Security
Even though the awareness of cybersecurity is strong, only 53 percent of health care providers are prepared to defend against attacks, according to the KPMG study.
Recognizing the aforementioned conundrum and a growing need to ensure the tightest security without restricting productivity in the enterprise, the National Institute of Standards and Technology (NIST) and National Cybersecurity Center of Excellence (NCCoE) released a cybersecurity guide specifically aimed at providing guidance for securely mobilizing electronic health records.
One of the clear messages within the suggested framework is an enterprise mobility management (EMM) centrifuge to manage and secure the many variations of mobile devices, document types and applications — without restricting productivity.
IBM MaaS360 has been an ambulatory EMM for mobile health in health care since the first iPad started putting cumbersome PCs out to pasture. Security and productivity are delivered through the following key security and productivity characteristics:
- Access control: The selective restriction of access to an individual or device.
- Audit controls and monitoring: Controls recording information about events occurring within systems.
- Device integrity: Maintaining and ensuring the accuracy and consistency of a device.
- Person or entity authorization: The function of specifying access rights to people or entities.
- Transmission security: The process of securing data transmissions from being infiltrated, exploited or intercepted by an individual, application or device.
Mobility, security and productivity aren’t separate conversations. To see how IBM MaaS360 can help your organization deliver reliable and secure mobile data to patients, employees and all affiliates that help save lives, start your free 30-day trial.