Last week the US Department of Homeland Security issued a policy paper that highlights the various security and privacy concerns that surround the use of mobile devices in healthcare and connected medical devices. DHS paints a rather grim picture of the current trend, including a warning against BYOD:
"If IT administrators don’t implement the correct mobile device for the right job or are slow to integrate [mobile devices] into the work place, they run the risk that employees may use their personal mobile devices to perform their duties. If a healthcare professional uses a personal device such as a smart phone, tablet or USB device to access patient information, at risk for theft or accidental loss of the device is patient information on an unencrypted or protected device that is not password protected."
The DHS paper includes a number of high profile examples of security breaches or demo hacks of wireless-enabled implantable devices, so it serves as a fairly good primer on recent events in the realm of mobile health security. The document also includes a list of 10 "best practices" for healthcare organizations to follow when it comes to mobile technology:
1. Purchase only those networkable medical devices which have well documented and fine-grained security features available, and which the medical IT network engineers can configure safely on their networks.
2. Include in purchasing vehicles vendor support for ongoing firmware, patch, and antivirus updates where they are a suitable risk mitigation strategy.
3. Operate well maintained external facing firewalls, network monitoring techniques, intrusion detection techniques, and internal network segmentation, containing the medical devices, to the extent practical.
4. Configure access control lists (ACL) on these network segments so only positively authorized accounts can access them.
5. Establish strict policies for the connection of any networked devices, particularly wireless devices, to Health Information Network (HIN) including; laptops, tablets, USB devices, PDAs, smartphones, etc. such that no access to networked resources is provided to unsecured and/or unrecognized devices.
6. Establish policies to maintain, review, and audit network configurations as routine activities when the medical IT network is changed.
7. Use the principle of least privilege to decide which accounts need access to specific medical device segments, rather than providing access to the whole network.
8. Implement safe and effective, but legal patch and software upgrade policies for medical IT networks which contain regulated medical devices.
9. Secure communications channels, particularly wireless ones, by the use of encryption and authentication at both ends of a communication channel.
10. Have and enforce password policies to protect patient information.
The paper also includes a few mentions of mobile health security issues outside of traditional care environments: "In the future, elderly and infirm patients can be monitored by loved ones and medical professionals in their home, saving the cost and distress of institutionalization," the DHS writes. "This process may be threatened by the inadequacy of these home networks and their maintenance. Homeowners may not use proper password protections or maintaining the most current antivirus software. By definition the elderly and infirm may not be able to determine whether these domestic networks are safe or even operational."
More in the full paper (PDF) here.