The Department of Homeland Security (DHS) has recently released a bulletin which outlined and discussed the very present security risks associated with smartphones and tablets that are used as Medical Devices (MDs).
The bulletin, called Attack Surface: Health and Public Sector, noted that a substantial amount of products used in patient care and management–including diagnosis and treatment–are MDs created to monitor changes with a patient’s health and may be implanted or external.
The bulletin mentioned that part of the problem is that the FDA currently cannot regulate medical devices or how they are used – including how they connected and are connected to networks.
As noted in the bulletin, “instant connectivity of these devices to the Internet or a Health Information System (HIS) could be compromised if not protected with the latest anti-virus and spyware. MDs like smartphones and tablets are mini-computers with instant access to the Internet or linked directly to a hospital’s network. The device or the network could be infected with malware designed to steal medical information.”
The potential risks associated with these networks relates to compromised patient safety and theft of loss of corresponding data. Because of stringent HIPAA regulations, devices need to be as secure as possible. Misconfigured networks and poorly managed networks also pose a threat to MDs.
Because of this, the DHS bulletin breaks down five main threat points of entry for wireless mobile devices:
- Insider: The most common ways employees steal data involved network transfer, be that email, remote access, or file transfer.
- Malware: These include keystroke loggers and Trojans, tailored to harvest easily accessible data once inside the network.
- Spearphishing: This highly-customized technique involves an email-based attack carrying malicious attack disguised as coming from a legitimate source, and seeking specific information.
- Lost equipment: A significant problem because it happens so frequently, even a smartphone in the wrong hands can be a gateway into a health entity’s network and records. And the more that patient information is stored electronically, the greater the number of people potentially affected when equipment is lost or stolen.
The security of patient data is a paramount concern for all in healthcare. As more MDs are created and technology expands, there will be increased vulnerabilities that need to be addressed. Laying a strong foundation and addressing the issues now will help to keep data breaches to a minimum. DHS officials echo this sentiment.
“Healthcare and Public Health Sector IT Administrators need to address the gap between security and mobile device use. Areas of concern include unmanaged mobile device access, authentication of users requesting access to a hospital’s web server, how to secure mobile devices with health information, unsecured wireless connectivity or cellular networks and protection against unauthorized breach of lost and/or stolen devices.”