Deploying mobile technology in hospitals has plenty of advantages – swift communication between nurses, doctors and other members of the care team, coordination of care, and more efficient workflows. But such communication platforms are also at a high risk for cybersecurity attacks, something a recent survey found most hospitals to be very concerned about.
Spyglass Consulting Group, a Menlo Park, California-based market research and consultancy firm, surveyed 100 hospital IT and informatics executives (a significant representation of the country's 2,500 hospitals that have 200 or more beds) on whether they feel their in-house mobile technology is adequately protected. They found that 82 percent expressed “grave concerns about their ability to support and protect mobile devices, patient data, and the hospital’s technology infrastructure as a result of the growing threat of cybersecurity attacks.”
“Smartphone technology has really taken on a serious role as to how it fits into clinical communication, but every time you integrate systems, there are points where the data is in the clear, and where it is vulnerable,” Gregg Malkary, founder and managing director of Spyglass told MobiHealthNews.
The survey looked at the way mobile devices, including smartphones and tables, can introduce vulnerabilities to the hospital’s network and infrastructure through attack vectors. These include malware, which penetrate networks, steal information and then covers up its tracks; blastware, which lies in wait until it is detected, then destroys or disables a system; and ransomware, which, as the name suggests, blocks access to a system until the victim forks over money.
The biggest concern lies in mobile devices, both those that are personally-owned by physicians and advanced practice nurses, and those that are hospital-owned and managed. Personally-owned devices often have inadequate password proection, lack security software and rely upon unsecured SMS messaging for clinical communication that often include patient health information.
On top of that, nurses and doctors using their personal devices widely use public WiFi and cellular networks that could easily compromise their device and the data that goes along with it. But now that there is a culture of having instant communication, the security that goes along with it hasn’t necessarily caught up.
“In the past, nurses weren’t provided any communication tools, not even pagers, so they took it into their own hands to communicate with each other and doctors,” Malkary said. “These weren’t secure.”
Even though hospitals began making investments in proprietary handsets, they didn’t necessarily go out to all departments, Malkary said, and nurses and doctors continued to use their personal devices. So hospital IT departments began deploying hospital-owned and managed devices, but the security threats persist, which the survey found was a serious concern to hospitals.
“Despite increased investments in mobile device management solutions and secure text messaging solutions, cybercriminals have become more sophisticated and knowledgeable about the capabilities of existing security products, and the strategies and tools used by hospital IT to detect a potential intrustion,” Malkary wrote in the report.
Data breaches aren’t good for anyone, but they are particularly tough when it comes to HIPAA. Hospitals found guilty of data breaches can be find upwards of $1.5 million per incident and be required to notify local media if the breach involves more than 500 patient records.
“We’ve gotten past the thing with the bring your own device issue, but even when you do the right thing, the hackers are so far ahead,” he said.
Approximately 25 percent of data breaches originate from mobile devices, and there are only more and more hospitals using them. The Spyglass survey found 71 percent of hospitals regard mobile communications as an emerging investment priority, driven by the adoptions of new patient-centered care models and value-based purchasing. Of the hospitals surveyed, 38 percent have invested in smartphone-based communication to support clinical communications, with an average size deployment of 624 devices. Of that group, 52 percent had expanded their deployments beyond clinical messaging to support other mobile hospital workers.
“In the last couple of years, the adoption rate has been so high that mobile platforms across all hospital workers – including nurses, hospitalists and other folks outside patient care – really need a common platform on a common infrastructure,” said Malkary. “Now that there is an ROI to leverage these common infrastructures, it’s a lot more cost-effective, which is a very significant development.”
But, Malkary cautioned, deployment of such platforms is an undertaking that requires significant security measures.
“The question is how to integrate these technologies within a clinical workflow, enhancing the team care to support population health,” Malkary said. “But it would be nice if you had a mobile strategy that begins with knowing where you are most vulnerable. Don’t just throw technology at a system right away.”