Healthcare data is under assault. Criminal attacks on healthcare organizations jumped 125 percent between 2010 and 2014. And this was before several leading insurers, including Anthem, reported staggering breaches last year.
This surge in criminal hacking has coincided with an explosion of mobile devices in healthcare – a trend spurred by bring-your-own-device (BYOD) policies in hospitals. BYOD makes good sense. Mobile devices enable medical practitioners to forward patient records, share test results, and communicate with each other in real time, improving the speed and quality of healthcare delivery.
But these devices are notoriously vulnerable to remote attackers and physical hackers, leaving patients and healthcare organizations at the mercy of bad actors bent on exploiting protected healthcare information (PHI) for financial gain. In a study last year by the Ponemon Institute, 96 percent of respondents reported at least one security incident involving a lost or stolen device. It is clear that old attitudes and strategies have failed; it’s time for a new approach.
The stakes are undeniably high. Stolen PHI, which includes medical records, claims, and billing information, is already being monetized on the “Deep Web’s” shady black market. According to Bankrate, identity thieves who compile full dossiers of personal information that include healthcare data, known colloquially as “kitz,” can sell them for more than $1,000. Of even greater concern, medical records are far more sensitive than any other type of data; they cannot be reissued like credit cards, reimbursed like bank accounts, or adjusted like credit scores.
Despite the enormous consequences, the healthcare industry has been slow to recognize and step up to the challenge – in no small measure because mobile security vendors have struggled to find solutions. First-generation approaches involved wrapping in-house mobile apps in a security layer that would ostensibly keep hackers at bay. This might have gained more traction if not for a critical shortcoming: The technology does not protect third-party apps commonly used within the healthcare industry, such as electronic medical record software.
The security industry then gravitated to containerization, in which a series of custom-made healthcare applications is encapsulated within a container with its own runtime environment. But like wrapping, this technology did not enable users to move beyond a limited menu of predetermined apps. Of greater concern, neither wrapping nor containerization could safeguard data if a lost or stolen device were to be physically hacked or remotely compromised through exploitation of vulnerabilities. Physical attacks on mobile devices have been largely left unaddressed by vendors. Biometric sensors, such as fingerprint readers, made these attacks even more successful by enterprising hackers using image-capture applications and 3D-printing technologies. It is quite an irony that the airplane mode usually accessible from the locked screen of a smartphone or tablet is all an attacker needs to prevent remote wiping of the device or locating it using iCloud. Essentially, airplane mode, paired with the fingerprint sensor attack vector, yields all device-based security solutions ineffective.
It’s time to recognize that these prevailing mobile app security models simply haven’t worked. Instead, we must focus on securing data rather than devices – an approach that taps into (and borrows from) one of the most powerful software trends of the last decade: virtualization. We commonly think of virtualization as a cost-effective way to boost efficiency and agility. But virtualization, which makes it possible to run multiple operating systems and applications on the same server at the same time, provides powerful built-in security advantages.
This is the premise behind virtual mobile infrastructure (VMI), a technology that provides mobile device users secure access to all their business mobile environment applications. VMI creates a mobile environment (operating system, apps, and corresponding data) that runs on a remote server. Because VMI enables ephemeral sessions, all apps and data remain on the remote server rather than on the device, so criminals or state-level actors cannot harvest any data from a lost or stolen phone, tablet, or laptop.
There are other advantages to VMI. Users can access corporate mobile apps regardless of the device they are using, and they can still use their phones or tablets for personal use without having to deal with restrictions imposed by their employer. VMI is the only way to manage mobile business applications with any certainty, without giving away the keys to the kingdom.
A number of security vendors are moving in this direction. Citrix, the on-demand software maker, has re-rendered Microsoft Windows and corresponding apps for mobile. Others such as Nubo, Hypori, and Avast have taken a different approach by virtualizing mobile apps for mobile platforms, resulting in a more elegant and streamlined user experience.
Critics correctly note that virtual mobile infrastructure is not accessible when users are offline. That’s because enabling offline access would require caching data on smartphones, tablets, and laptops – a solution that would defeat the key security advantage of VMI. But this is a non-existent issue in all but the most remote locations. We cannot afford to let isolated instances keep us from adopting technology that is a major step forward in safeguarding hundreds of millions of people’s healthcare data. Let there be no mistake: Cyberattacks that yield healthcare data will only increase in the years to come unless we move quickly to adopt VMI.