Popularity of mobile devices brings risk
The growth of personal mobile devices in healthcare demands new security policies and technologies. By Roman Yudkin
hysicians and other healthcare workers are increas- ingly bringing their personal smartphones and tablets into hospital, clinical and offi ce settings to access electronic medical records (EMRs) and other highly sensitive information. A recent survey revealed that almost one-third of physicians use their personal smartphones and tablets to access EMRs. By the end of this year, nearly half of all physicians are expected to use their mobile devices to access medical applications daily.
The popularity of “bring your own device” (BYOD) presents unique security challenges for healthcare IT or- ganizations. Mobile access dramatically increases exposure to security risks, data breaches and privacy violations if the devices and applications are not adequately secured. New technologies and security policies designed to address the unique challenges associated with mobile access are needed – particularly in the areas of authentication and access control – to protect patient data, maintain compliance with HIPAA regulations and ensure secure computer networks and systems in healthcare organizations.
As patient records have been digitized health data breaches have surged, increasing 32 percent last year. In almost half the cases, a lost or stolen phone or computer was responsible. Nearly half of all smartphone or tablet owners do not use a password or PIN to lock their devices, and as many as two- thirds admit to leaving mobile apps perpetually logged in be- cause typing a username and password is too burdensome. The use of static passwords for authentication to health- care systems and medical applications is not secure and is too cumbersome on smartphones and tablets, often requiring switching between multiple tiny, on-screen keyboards. To ease the process, clinicians choose weak passwords, write down their passwords or simply leave the device or its applica- tions unlocked. Proper authentication and access control is especially onerous when physicians are busily moving around within hospitals or among different medical facilities. Fortunately, smartphones and tablets have unique charac- teristics that make it possible to use advanced authentication techniques that were not viable in the past. Sensors built into tablets and smartphones are making
32 April 2012
biometrics an increasingly viable option for authentication. Built-in microphones and cameras can be used for voice and facial recognition, and fi ngerprint readers can authenticate physicians with a single fi nger. Touchscreens enable the use of image-based and pattern-based authentication schemes that can generate one-time passwords simply by having the physician tap a specifi c combination of pictures or draw a pattern. Such graphical authentication techniques are faster to execute than typing alphanumeric passwords and are more secure because they generate one-time passwords. The unique device identifi er code (UDID) on smart-
phones and tablets should be used in digital fi ngerprinting of the devices. Virtualization should be applied to personal mobile devices, separating personal data and applications from professional ones and allowing IT administrators to wipe sensitive data from the device in the event of loss or theft.
Most importantly, healthcare organizations should use layers of authentication coupled with access control policies. This allows different methods of authentication to be trig- gered depending on user role or risk level of the situation. When coupled with access control policies, the healthcare organization can control who is able to access what infor- mation, from which devices, and what they can do with it. For example, an employee in a certain role may be able to view data from their personal mobile device but not download it. Layered authentication and access control policies can also help create audit trails for regulatory compliance.
Roman Yudkin is chief technology offi cer at Confi dent Technologies. For more on Confi dent Technologies: www.rsleads. com/204ht-211
Despite security challenges, the future of mobile health- care is bright. A growing number of new mobile authentica- tion technologies and practices make it faster and easier for physicians to securely access sensitive and regulated information without increasing risk. As healthcare becomes increasingly digital and mobile, the need for strong authen- tication and access control that’s easy to use on smartphones and tablets will be essential.
HMT HEALTH MANAGEMENT TECHNOLOGY www.healthmgttech.com