Article Written by Israel Lifshitz, founder and CEO of Nubo

Mobile devices have created a gaping wound in healthcare cybersecurity. As 2015's string of mega-breaches illustrated, the industry is ill-equipped for desktop threats, let alone mobile ones. Last year, the U.S. Department of Health and Human Services Office of Civil Rights (OCR) cataloged more than 253 healthcare breaches that compromised over 112 million health records. In other words, data breaches affected roughly one in three Americans. With more than 84 percent of physicians now using personal smartphones for professional purposes, the risk of breaches will increase.

Some healthcare organizations have turned to mobile device management (MDM) and enterprise mobility management (EMM) to address this threat. For reasons I'll dig into, IT departments widely detest these solutions, which are especially ill-equipped for the medical field. Unlike most white collar workers who serve one company at a time, healthcare professionals often serve multiple clinics at once. They cannot let one organization install MDM on their smartphone, as it would give the clinic administrative control. Conversely, it would be expensive and impractical to give doctors one smartphone for each clinic.

IT departments cannot protect medical data with device-based security or a hope-and-pray approach. To stitch the wound in healthcare cybersecurity, IT departments must look to virtual mobile infrastructure (VMI). By keeping vulnerable data in data centers and off employees' devices, VMI may safeguard hundreds of millions of patient records from future breaches.

The Modern Attack Route

2015 was a brutal and unusual year for data security in the healthcare industry. It shed light on the types of attacks that will target mobile users, if they haven't already.

Last year, 98 percent of data breaches were caused by large-scale hacks according to a report by cloud security provider Bitglass. Five discreet attacks, including the Premera Blue Cross and Anthem breaches, accounted for 100 million of the 112 million compromised health records. Each record stolen costs the compromised organization an average of $145 to $154 according to research by the Ponemon Institute.

2015's major attacks involved "social engineering", which has become the most popular attack vector. In the Premera and Anthem cases, for instance, the hackers used phishing emails that directed employees to fake company websites. When they entered their login credentials as usual, the hackers recorded the info and redirected the victim to real company websites so they wouldn't realize they'd been tricked. 

In 2014, Bitglass found that 68 percent of breaches were caused by lost or stolen employee devices. Such devices could provide a treasure trove of exploitable information - especially if the device contains corporate data, like work emails. From email alone, the hackers can learn who an employee interacts with and why. The hackers can analyze how human resources, HR, IT, management, and other powerful personnel communicate, down to the common themes, messages, and signoffs they use. This is all the data they need to dupe unsuspecting employees.

So let's say a doctor loses her smartphone which she uses to write and reply to work emails. The hacker sees that she has been emailing back and forth with an IT administrator about a new prescriptions management app. The hacker impersonates that IT admin and sends the doctor an email with a "crucial" app update, which, unbeknownst to the doctor, pretends to update her app but actually downloads malware onto her smartphone when she taps the link. That malware captures her login credentials, giving the hacker unrestricted access to patient medical records. The attacker can sell these records on the black market, where they will be used for identity theft, financial fraud or extortion.

Sure, social engineering attacks can target desktop users too. The difference is that a smartphone with work data can give the attackers a tremendous advantage. People generally don't lose their running desktop computers in bars and subways.   

You Can't Secure Personal Devices

As Healthcare IT News demonstrated in a roundup of 2015 breaches, compliance doesn't equate to security. HIPAA compliance is merely a box to be checked - a bare minimum. It doesn't address the mobile security challenges I've outlined above. Neither do BYOD solutions that attempt to secure devices.

In IT circles, BYOD has become a dirty word thanks to the paltry performance of MDM and EMM. They force IT to select, "wrap", and deploy apps for hundreds of potential device and operating system version combinations. The so-called secure "containers" are still vulnerable to malware on employees' devices. Users complain that they can't download and install the apps they actually want to use. The tragedy is that IT departments know how to secure information in their data centers, but MDM and EMM ensure that corporate data lands on employees' devices, where IT has little oversight.

The childhood game "capture the flag" offers a good analogy. Normally, the teams keep their flag deep within home territory, guarded by multiple people, so that the other team can't steal it easily. When employees use mobile devices - with or without MDM -  the team has to guard hundreds or thousands of flags, instead of one. Players unknowingly wander into enemy territory, focused on their work (patient care) instead of guarding the flag. The enemy just needs one flag to win the game.

With odds like that, of course breaches happen. Healthcare professionals care about data security, but guarding the flag is not their job. Priority-wise, patients come miles ahead of patching, monitoring, and optimizing smartphone security. With MDM, the phone becomes the weakest link in security.

The Case for Virtual Mobile Infrastructure

Whereas typical BYOD solutions locate exploitable healthcare data on employees' devices and then attempt to secure it, virtual mobile infrastructure (VMI) is based on an entirely different philosophy: Zero digital footprint on mobile endpoints. It operates like virtual desktop infrastructure (VDI). All applications live in a private data center or in a secure cloud. Healthcare workers access these apps via a thin client app that runs on multiple operating systems. To healthcare workers, the experience feels native - the remote apps respond to swipes and taps like apps installed on their physical phones and support mobile sensors such as GPS, orientation and camera.  

To use the "capture the flag" analogy again, IT only needs to secure one "flag," stored in a single data center, when VMI is in play. They can deploy all the medical apps employees need in this one environment without worrying about app wrapping or compatibility issues. Each health system can assign different privileges to office staff, physicians, nurses and temporary staff.

Sure, attackers could still use social engineering attacks to steal login credentials for the thin client app. However, lost and stolen devices won't provide any useful information. Attackers cannot "spoof" the thin client app as easily as they could a company website. VMI doesn't erase the need to educate employees about phishing and other threats, but it does empower IT to focus security resources on one, controllable environment.

In a perfect security world, healthcare workers would never access information outside their offices. But in the reality we inhabit, IT needs to simplify security by taking the burden off employees. MDM and EMM merely bandage open wounds that need stiches. Virtual mobile infrastructure should be a cornerstone in preventing healthcare's next mega-breach.

##

About the Author

Israel Lifshitz, founder and CEO of Nubo

An entrepreneur and experienced CEO, Israel previously founded SysAid Technologies, a worldwide leader in IT service management solutions. He identifies trends and opportunities, finds solutions and achieves highly rewarding results. Israel is a graduate of Technion Institute of Technology in Computer Science. With Nubo Software on the rise, Israel is defining the new virtual mobile work experience for enterprise organizations.