Article Written by Israel Lifshitz, founder and CEO of Nubo
Mobile devices have created a gaping wound in healthcare
cybersecurity. As 2015's string of mega-breaches illustrated, the industry is ill-equipped
for desktop threats, let alone mobile ones. Last year, the U.S. Department of
Health and Human Services Office of Civil Rights (OCR) cataloged
more than 253 healthcare breaches that compromised over 112 million health
records. In other words, data breaches affected roughly one in three Americans.
With more than 84 percent of physicians now using
personal smartphones for professional purposes, the risk of breaches will
increase.
Some healthcare organizations have turned to mobile device
management (MDM) and enterprise mobility management (EMM) to address this
threat. For reasons I'll dig into, IT departments widely detest these solutions,
which are especially ill-equipped for the medical field. Unlike most white
collar workers who serve one company at a time, healthcare professionals often
serve multiple clinics at once. They cannot let one organization install MDM on their smartphone,
as it would give the clinic administrative control. Conversely, it would be
expensive and impractical to give doctors one smartphone for each clinic.
IT departments cannot protect medical data with device-based
security or a hope-and-pray approach. To stitch the wound in healthcare
cybersecurity, IT departments must look to virtual mobile infrastructure (VMI).
By keeping vulnerable data in data centers and off employees' devices, VMI may safeguard
hundreds of millions of patient records from future breaches.
The Modern Attack
Route
2015 was a brutal and unusual year for data security in the
healthcare industry. It shed light on the types of attacks that will target
mobile users, if they haven't already.
Last year, 98 percent of data breaches were caused by
large-scale hacks according to a report
by cloud security provider Bitglass. Five discreet attacks, including the
Premera Blue Cross and Anthem breaches, accounted for 100
million of the 112 million compromised health records. Each record stolen
costs the compromised organization an average of $145 to $154 according to research
by the Ponemon Institute.
2015's major attacks involved "social engineering", which
has become the most
popular attack vector. In the Premera and Anthem cases, for instance, the
hackers used phishing emails that directed employees to fake company websites. When
they entered their login credentials as usual, the hackers recorded the info
and redirected the victim to real company websites so they wouldn't realize
they'd been tricked.
In 2014, Bitglass found
that 68 percent of breaches were caused by lost or stolen employee devices. Such
devices could provide a treasure trove of exploitable information - especially if
the device contains corporate data, like work emails. From email alone, the
hackers can learn who an employee interacts with and why. The hackers can
analyze how human resources, HR, IT, management, and other powerful personnel
communicate, down to the common themes, messages, and signoffs they use. This
is all the data they need to dupe unsuspecting employees.
So let's say a doctor loses her smartphone which she uses to
write and reply to work emails. The hacker sees that she has been emailing back
and forth with an IT administrator about a new prescriptions management app.
The hacker impersonates that IT admin and sends the doctor an email with a "crucial"
app update, which, unbeknownst to the doctor, pretends to update her app but
actually downloads malware onto her smartphone when she taps the link. That malware
captures her login credentials, giving the hacker unrestricted access to
patient medical records. The attacker can sell these records on the black
market, where they will be used for identity theft, financial fraud or
extortion.
Sure, social engineering attacks can target desktop users
too. The difference is that a smartphone with work data can give the attackers
a tremendous advantage. People generally don't lose their running desktop computers
in bars and subways.
You Can't Secure
Personal Devices
As Healthcare IT News
demonstrated in a roundup
of 2015 breaches, compliance doesn't equate to security. HIPAA compliance is merely
a box to be checked - a bare minimum. It doesn't address the mobile security challenges
I've outlined above. Neither do BYOD solutions that attempt to secure devices.
In IT circles, BYOD has become a dirty word thanks to the
paltry performance of MDM and EMM. They force IT to select, "wrap", and deploy
apps for hundreds of potential device and operating system version
combinations. The so-called secure "containers" are still vulnerable to malware
on employees' devices. Users complain that they can't download and install the
apps they actually want to use. The tragedy is that IT departments know how to secure information in their
data centers, but MDM and EMM ensure that corporate data lands on employees'
devices, where IT has little oversight.
The childhood game "capture the flag" offers a good analogy.
Normally, the teams keep their flag deep within home territory, guarded by
multiple people, so that the other team can't steal it easily. When employees use
mobile devices - with or without MDM - the
team has to guard hundreds or thousands of flags, instead of one. Players
unknowingly wander into enemy territory, focused on their work (patient care)
instead of guarding the flag. The enemy just needs one flag to win the game.
With odds like that, of course breaches happen. Healthcare
professionals care about data security, but guarding the flag is not their job.
Priority-wise, patients come miles ahead of patching, monitoring, and
optimizing smartphone security. With MDM, the phone becomes the weakest link in
security.
The Case for Virtual Mobile
Infrastructure
Whereas typical BYOD solutions locate exploitable healthcare
data on employees' devices and then attempt to secure it, virtual mobile
infrastructure (VMI) is based on an entirely different philosophy: Zero digital
footprint on mobile endpoints. It operates like virtual desktop infrastructure
(VDI). All applications live in a private data center or in a secure cloud. Healthcare
workers access these apps via a thin client app that runs on multiple operating
systems. To healthcare workers, the experience feels native - the remote apps
respond to swipes and taps like apps installed on their physical phones and
support mobile sensors such as GPS, orientation and camera.
To use the "capture the flag" analogy again, IT only needs
to secure one "flag," stored in a single data center, when VMI is in play. They
can deploy all the medical apps employees need in this one environment without
worrying about app wrapping or compatibility issues. Each health system can
assign different privileges to office staff, physicians, nurses and temporary
staff.
Sure, attackers could still use social engineering attacks
to steal login credentials for the thin client app. However, lost and stolen
devices won't provide any useful information. Attackers cannot "spoof" the thin
client app as easily as they could a company website. VMI doesn't erase the
need to educate employees about phishing and other threats, but it does empower
IT to focus security resources on one, controllable environment.
In
a perfect security world, healthcare workers would never access information
outside their offices. But in the reality we inhabit, IT needs to simplify
security by taking the burden off employees. MDM and EMM merely bandage open
wounds that need stiches. Virtual mobile infrastructure should be a cornerstone
in preventing healthcare's next mega-breach.
##
About the Author
Israel Lifshitz, founder and CEO of Nubo
An
entrepreneur and experienced CEO, Israel previously founded SysAid
Technologies, a worldwide leader in IT service management solutions. He
identifies trends and opportunities, finds solutions and achieves highly
rewarding results. Israel is a graduate of Technion Institute of
Technology in Computer Science. With Nubo Software on the rise, Israel
is defining the new virtual mobile work experience for enterprise
organizations.