For years, healthcare has been going through a digital transformation, and in many organizations, the pandemic has radically accelerated this trend. Today, mobile devices play an increasingly central role in how patients access and experience healthcare services and how healthcare organizations manage operations and service delivery.
We’re now well into an era in which mobile health, or “mHealth,” has become ubiquitous. Mobile devices now power and support remote patient monitoring, telemedicine, mobile medical apps, and more. For consumers, healthcare apps have started to proliferate. Calorie counters, fitness apps, sleep tracking apps, healthcare provider and medical insurance apps, and meditation apps, among many others, have seen widespread adoption. These apps undoubtedly offer increasing value and convenience for consumers but can also introduce risk.
How are healthcare organizations contending with the security implications of this shift to mHealth? In conjunction with the Health-ISAC (Health Information Sharing and Analysis Center) Navigator Program, Zimperium recently hosted a webcast to explore these topics. Entitled “The New ‘mHealth’ Golden Age: What Are the Mobile Security Implications?” the session featured a discussion with Chris Akeroyd, SVP, CIO Children’s Health, and Vince Nguyen, Senior Program Manager, Diabetes, at Medtronic.
Here are some of the key takeaways from the discussion.
The Central Role of Mobile Devices and Apps
Today, Children’s Health is using mobile apps extensively. As Chris Akeroyd described, “We’re using mobile apps throughout the organization, starting with our own employees and caregivers. Mobile technologies are shaping the workflow of our nurses and physicians and how we treat patients at the bedside. All nurses carry an Android mobile device with a number of tools on it.”
Medtronic has also employed mobile technologies extensively. Their employees are embracing mobility to stay in touch and collaborate. Vince Nguyen said, “With continued digitization, we’re delivering data in a timely manner directly to patients.”
Medtronic is building mobile apps and wearables. For example, a diabetes patient can track their intake of carbs directly on their device. In the past, patients relied on quarterly or monthly lab tests. Over time, a phone and mobile app would offer a view of data from an insulin pump. Now, the mobile device itself is becoming a medical device; for example, it can provide an alert to instruct a patient to get a dose of insulin because their blood sugar is running low. With these advances, patient care takes on a new life. Instead of a patient trying to describe how they’re feeling and having the doctor diagnose based on symptoms, mobile technology is bridging the gap. Doctors now have current medical information and can readily identify the cause of illness.
The Criticality of Securing Data and Devices
These emerging mHealth technologies and approaches have significant implications for healthcare providers and device manufacturers.
For clinicians and patients alike, having timely, convenient access to data is invaluable. However, if this data gets into the wrong hands, it can be extremely harmful. As mobile devices routinely house and access therapy data, patient details, and more, it gets increasingly important to ensure these devices remain secure.
When medical providers and vendors roll out mobile technologies, patients entrust their sensitive data, expecting these organizations to safeguard it. Therefore, it is vital to secure this data at all times, whether on a mobile device or in the provider’s network. It needs to be secured, whether it’s sensitive content in employee emails or patient information on clinical systems.
In the past, Children’s Health had well-established processes for apps that go on the organization’s own devices or devices that they manage, such as laptops and desktops. However, given the critical data and roles mobile devices now play, teams must secure these devices as well.
Chris explained, “We’re seeing more zero-day attacks on iOS and Android than in the past. Mobile devices can provide a broader attack plane for some malicious actor to infiltrate our organization, steal data, and inject malware.”
For Medtronic, data privacy and security are critical, and security risks can even endanger patient health and safety. Because these devices now support therapy data and the administration of therapy, the potential exposure of apps and devices can lead to this data being altered or deleted. This is a major concern, so they must build security into the device itself.
Bring Your Own Device (BYOD)
A recent Zimperium survey found that 44% of healthcare professionals were accessing patient data via a mix of organization-managed and employee-owned devices, and 5% are now solely accessing patient data via their own personal devices. This widespread use of bring-your-own-device (BYOD) approaches presents various challenges for security teams. These devices can be running any version of iOS and Android systems and can present virtually infinite permutations of configurations and apps, and more.
Looking at devices used by employees, Chris explained, “I heard a stat that there are 14,000 different applications that people have loaded on their phones through the app stores. Our security group can’t go through and vet every one of those apps to ensure it’s behaving appropriately. So we have to have some intelligence on the device to help us make sure we’re securing it effectively.”
Security teams are looking to have apps gain the intelligence they need to detect when risky or malicious behavior may be occurring and prevent users from exposing data. However, due mainly to privacy concerns, consumers and users are resistant to having the company run apps that manage security on their personal devices.
For medical devices, teams may be limited to what security can be installed. For example, a wearable device may not have substantial enough computing resources to run a complete security stack. As a result, teams have to microsegment these environments to deliver effective services while safeguarding sensitive assets.
Today’s healthcare providers and device manufacturers must adhere to an increasingly complex set of regulatory mandates. For example, Children’s Health treats patients regionally, mainly in Texas and surrounding states. They developed a branded mobile app that consumers could download from app stores. Consequently, they started to have users from various states using their app. This meant they’d need to contend with other states’ privacy rules, such as the California Consumer Privacy Act of 2018 (CCPA). Further, their teams must comply with the Health Insurance Portability and Accountability Act (HIPAA) and the 21st Century Cures Act, which calls on the healthcare industry to adopt standard APIs that enable individuals to securely and easily access their health information using mobile apps.
Vince explained that for a global medical device manufacturer like Medtronic, “not only are regional privacy mandates in effect but there are around 16 different global regulations around medical devices.” Their teams need to ensure their devices and apps accommodate these different requirements. They must follow an extensive process that includes security testing, penetration testing, submission to the FDA, and so on.
For organizations managing sensitive patient data, these regulations can pose various implications. For example, as telehealth becomes more common, healthcare providers and patients can be increasingly geographically dispersed. So, how do you enable a patient in the U.S. to collaborate with a doctor in Europe and a doctor in Asia and to do so securely, legally, and in real-time?
Key Factors to Embracing Emerging Tech
Depending on the nature of the services provided, technologies employed, and many other factors, some organizations are better equipped to embrace mobile technologies than others.
We are grateful to have had Vince and Chris participate in the conversation around the opportunities and challenges their organizations have experienced related to mobile technologies, as well as their approaches on how to build security into every step as mobile technologies are further integrated into healthcare delivery systems.
Teams in healthcare must strike a constant balance of securing data and ensuring data privacy without being intrusive to end users. As part of their efforts, the team at Children’s Health has focused on educating employees, healthcare professionals, patients, and third-party partners, such as physicians that are part of their referral network. Through these efforts, they’ve emphasized how real the risks are and why they’re taking the steps they’re taking. Now, if users want to access the Children’s Health portal, they have to do multi-factor authentication, and it was vital to get user buy-in as part of rolling out this requirement.
For Medtronic, it is essential to build security by design and upfront. Trying to bolt security on at the end will ultimately delay delivery. So they’ve also focused on employing cyber hygiene best practices, including access control, data encryption, and login alerts that can help address a significant percentage of risks.
Requirements and Recommendations from Zimperium
To meet their security and compliance objectives, healthcare providers and medical device manufacturers need to address the following areas:
- Risk Assessment. Healthcare providers are using many vendor products, pushing usage and information to consumers, which means they must do risk assessments to ensure compliance and privacy.
- Ecosystem Security. Device manufacturers need to assess and manage the ecosystem’s security, such as how mobile devices, sensors, and medical devices disseminate data and how that data is shared with healthcare providers, patients, and partners. Therefore, these organizations need to establish continuous monitoring of communications between different devices. In addition, with sensor data being pushed to the phone or the cloud, it may be subject to a man-in-the-middle attack that could result in data being stolen or manipulated, potentially altering treatments. Teams, therefore, also need to establish transport security.
- Mobile App Security. Medtronic is building apps that function as medical devices. These apps are being put on consumers’ devices, which means the individual owns the device, configuration, and apps. In order to safeguard data, it is crucial to secure the provider’s app running on those devices. For example, if an app detects that the phone is jailbroken or rooted, the app shouldn’t start up.
- Code Security. When organizations make their code available on an app store, malicious actors can download it and try to reverse engineer it. Organizations need to establish safeguards to protect this code. In addition, it is vital to guard against side-channel attacks, that is, having a different app on the same device compromising the provider’s app.
While the emergence of mHealth has ushered in a range of benefits, and even more opportunities for ongoing innovation, there are significant risks that have to be addressed. Through the adoption of security best practices and advanced technologies, organizations like Children’s Health and Medtronic have been able to establish an effective balance between user convenience and service innovation on the one hand and security and privacy on the other hand.
To hear more of the discussion, and learn more about meeting the security challenges of the new mHealth era, watch the replay of our webcast, “The New ‘mHealth’ Golden Age: What Are the Mobile Security Implications?”
As the global leader in mobile device and app security, Zimperium is trusted by leaders across the healthcare and device manufacturing industries. Zimperium provides the only mobile security platform purpose-built for enterprise environments. With machine learning-based protection and a unified platform that secures everything from applications to endpoints, Zimperium’s solutions provide on-device mobile threat defense and comprehensive in-app protection to protect growing and evolving mobile environments. For more information or to schedule a demo, contact us today.