The growth of personal mobile devices in healthcare demands new security policies and technologies.
Physicians and other healthcare workers are increasingly bringing their personal smartphones and tablets into hospital, clinical and office settings to access electronic medical records (EMRs) and other highly sensitive information. A recent survey revealed that almost one-third of physicians use their personal smartphones and tablets to access EMRs. By the end of this year, nearly half of all physicians are expected to use their mobile devices to access medical applications daily.
The popularity of “bring your own device” (BYOD) presents unique security challenges for healthcare IT organizations. Mobile access dramatically increases exposure to security risks, data breaches and privacy violations if the devices and applications are not adequately secured. New technologies and security policies designed to address the unique challenges associated with mobile access are needed – particularly in the areas of authentication and access control – to protect patient data, maintain compliance with HIPAA regulations and ensure secure computer networks and systems in healthcare organizations.
As patient records have been digitized health data breaches have surged, increasing 32 percent last year. In almost half the cases, a lost or stolen phone or computer was responsible. Nearly half of all smartphone or tablet owners do not use a password or PIN to lock their devices, and as many as two-thirds admit to leaving mobile apps perpetually logged in because typing a username and password is too burdensome.
The use of static passwords for authentication to healthcare systems and medical applications is not secure and is too cumbersome on smartphones and tablets, often requiring switching between multiple tiny, on-screen keyboards. To ease the process, clinicians choose weak passwords, write down their passwords or simply leave the device or its applications unlocked. Proper authentication and access control is especially onerous when physicians are busily moving around within hospitals or among different medical facilities.
Fortunately, smartphones and tablets have unique characteristics that make it possible to use advanced authentication techniques that were not viable in the past.
Sensors built into tablets and smartphones are making biometrics an increasingly viable option for authentication. Built-in microphones and cameras can be used for voice and facial recognition, and fingerprint readers can authenticate physicians with a single finger. Touchscreens enable the use of image-based and pattern-based authentication schemes that can generate one-time passwords simply by having the physician tap a specific combination of pictures or draw a pattern. Such graphical authentication techniques are faster to execute than typing alphanumeric passwords and are more secure because they generate one-time passwords.
The unique device identifier code (UDID) on smartphones and tablets should be used in digital fingerprinting of the devices. Virtualization should be applied to personal mobile devices, separating personal data and applications from professional ones and allowing IT administrators to wipe sensitive data from the device in the event of loss or theft.
Most importantly, healthcare organizations should use layers of authentication coupled with access control policies. This allows different methods of authentication to be triggered depending on user role or risk level of the situation. When coupled with access control policies, the healthcare organization can control who is able to access what information, from which devices, and what they can do with it. For example, an employee in a certain role may be able to view data from their personal mobile device but not download it. Layered authentication and access control policies can also help create audit trails for regulatory compliance.
Despite security challenges, the future of mobile healthcare is bright. A growing number of new mobile authentication technologies and practices make it faster and easier for physicians to securely access sensitive and regulated information without increasing risk. As healthcare becomes increasingly digital and mobile, the need for strong authentication and access control that’s easy to use on smartphones and tablets will be essential.
About the author
Roman Yudkin is chief technology officer at Confident Technologies. For more on Confident Technologies, click here.