Health IT Pros Worried About Mobile Security Threats

A Spyglass Consulting Group study found the majority of hospitals surveyed have concerns about their ability to support and protect mobile devices, patient data and the hospital’s technology infrastructure.

Eighty-two percent of hospitals surveyed were concerned about personally owned mobile devices used by physicians and advanced practice nurses, as well as hospital-owned and managed mobile devices used by nurses, ancillary healthcare professionals and other mobile hospital workers.

The report found just 38 percent of hospitals surveyed had invested in a smartphone-based communications platform to support clinical communications. The average deployment size was 624 devices.

Just over half (52 percent) of them have expanded their deployments beyond clinical messaging to support other mobile hospital workers.

“In the past, hospital IT was primarily concerned about physicians, nurses and ancillary workers who were using their own personal devices to support clinical communications and collaboration,” Gregg Malkary, managing director of Spyglass Consulting Group, told eWEEK. “Many them had non-password-protected devices and are communicating using unsecured SMS that includes personal health information, which poses placing the healthcare organization and provider at risk of a potential HIPAA violation.”

Malkary said some of the stumbling blocks hospitals face when trying to develop an IT security strategy include a limited budget to invest in more advanced security products and services and a lack of leadership and dedicated personnel who have knowledge, expertise and skills in advanced cyber-security and regulatory compliance.

“I was under the impression if hospital IT workers made the appropriate investments in mobile device management solutions to enforce security protocols and secure messaging to protect patient health information, that this would have been adequate,” Malkary said. “Cyber-criminals have become more sophisticated and knowledgeable about the capabilities and vulnerabilities of existing security products, as well as the strategies and tools used by hospital IT to detect a potential intrusion.”

He said hospital IT pros need to build multi-disciplinary teams to better understand both the cyber-security threats posed by mobile technologies and the implications on protecting patient data and hospital infrastructure.

“They need to develop strict policies and procedures on the use of mobile technologies to support patient care and clearly identify the implications of an infraction, and need to educate end users who are using hospital-owned and personally owned devices on the dangers of cyber-security threats and how they can best safeguard information,” he said.

He also noted hospital IT staff need to transition investments toward attacker detection and away from attacker prevention.

“This will require increased investments in cyber-security analytics that can enables devices and entities acting suspiciously to be quickly identified and investigated,” he said.