Healthcare organizations use mobile devices to facilitate communication among doctors, patients, and staff, provide remote services, remotely monitor patients’ health, work with documents, etc. Transferring bureaucratic activities to a smartphone is a great way to increase the efficiency and quality of healthcare services. But using mobile devices, especially personal ones, comes with a lot of security, usability, and compliance challenges.
A mobile device management (MDM) solution can help to protect an organization’s security perimeter and sensitive data. In the previous article, we discussed how to build a mobile device management system for general purposes. Here, we discuss the major demands of MDM software in healthcare and the features required of an MDM application. This post will be useful for mobile application developers and healthcare professionals who want to know more about the nuances of building an MDM solution.
Mobile device management, or MDM, is a system of applications, frameworks, and corporate policies that regulate the use of mobile devices (laptops, smartphones, tablets). MDM provides an additional level of security, monitoring, management, and support to both corporate and private devices while making the work environment more flexible and comfortable for employees. We’ve covered a typical MDM architecture and the process of developing MDM software in a previous post.
MDM became especially important alongside the popularization of bring your own device (BYOD) policies. These policies allow employees to use personal devices for work and are convenient both for employees and companies. For employees, it’s more comfortable to work with a single device instead of two (personal and corporate). And employees using personal devices are usually more productive. Additionally, companies that implement BYOD policies lower costs by not having to purchase corporate devices.
On the other hand, BYOD brings a lot of security issues. Private devices have access to sensitive corporate data and resources but aren’t as secure as corporate ones. This makes them an easy target for hackers. Moreover, an employee can sell or lose a device, share it with somebody. In all of these cases, outsiders will gain access to sensitive data.
When implemented correctly, an MDM solution protects a company’s IT environment from these threats. Moreover, it brings the following benefits:
- Secures mobile devices. A basic MDM solution should be equipped with access management, encryption, remote management, and automatic log off (or shut off) features. All of that makes stealing data from a mobile device much more complex.
- Makes mobile management faster and easier. With a single solution to manage all corporate laptops, phones, and tablets, it’s much easier for an IT security officer or an IT auditor to assess the level of security in their organization.
- Manages devices remotely. If a device is lost or stolen, data saved on it is considered compromised. An MDM solution can wipe data or block a device remotely. Also, an MDM solution can control device updates, installed applications, and configurations.
- Enforces security policies. Meeting the requirements of corporate security environments is the responsibility of every employee. But in real life, some rules can be neglected because they slow down the work process, or simply are unclear. MDM solutions can enforce security policies regardless of employee opinions.
- Reduces costs for IT administration. The obvious cost reduction comes from enabling a BYOD policy. Also, an MDM solution speeds up and partially automates device management.
In healthcare institutions, mobile devices are used to:
- Manage administrative tasks (appointments, doctors’ schedules, etc.)
- Provide quick access to medical records
- Improve communication between doctors, other medical personnel, and patients
- Reduce bureaucracy
According to the Verizon Mobile Security Index 2018, 35% of healthcare organizations suffered a data loss or downtime due to a security incident with a mobile device. Leaking protected health information (PHI) leads to severe compliance penalties and loss of reputation.
This makes the benefits of an MDM solution particularly important in healthcare due to the amount of sensitive data that can be collected, stored, and processed on mobile devices. Implementing an MDM solution is even recommended by the US Department of Health and Human Services in their HHS Policy for Mobile Devices and Removable Media.
The sensitive nature of protected patient data makes it critical to protect healthcare mobile devices from cyber threats. Let’s take a closer look at additional security challenges when developing MDM solutions for healthcare applications.
Mobile device security is one of the biggest concerns in healthcare. Among IT decision-makers in the healthcare industry, 49% believe their devices need better security according to a 2018 report by Jamf titled The Impact of Mobile Devices on Hospital Patient Satisfaction.
Healthcare organizations are a desirable target for hackers: more than 41 million health records were stolen or leaked during 2019. Furthermore, data breaches in healthcare are among the most expensive, cost an average of $408 per record. The average among other industries is $148 per record, according to the 2019 Cost of a Data Breach Report by the Ponemon Institute. Therefore, it’s vital to protect health information on mobile devices.
Here are the top concerns about PHI security on mobile devices:
- Physical security. Mobile devices are easier to steal or lose than computers and servers. Hackers may obtain health information from a stolen device or gain access to an organization’s network. Also, there’s a risk of improper disposal of retired devices, which should be wiped or destroyed. Instead, these devices sometimes are sold or used as personal devices.
- Data abuse and misuse. According to the 2019 Data Breach Investigation Report by Verizon, 59% of data breaches in healthcare were caused by internal actors. Health information is as valuable on the black market as financial information, which may motivate employees to sell data or leak it on purpose.
- Employee mistakes. More than half of healthcare data breaches were unintentional, states the same Verizon report. Doctors have to perform a lot of bureaucratic procedures that require time and high accuracy. This may lead to mistakes and inadvertent data leaks.
- Intentionally compromised devices. BYOD policies are common in healthcare organizations. But it’s not possible to completely ensure the security of a user’s device. For example, rooting or jailbreaking might open a backdoor for hackers.
- Regulatory compliance. In healthcare, there are strict requirements for the security of IT solutions that work with PHI. Complying with these requirements is a must for any healthcare organization. For example, US companies have to comply with the Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act, and the HHS Policy for Mobile Devices and Removable Media. In the UK, companies have to comply with the Data Protection Act. And in the EU, they have to comply with the GDPR.
Tips on writing GDPR compliant applications
Let’s look briefly at the requirements of a compliance regulation that may affect the development of an MDM solution for healthcare.
In the US, all healthcare-related software that receives, stores, processes, or sends PHI must comply with HIPAA. This law is aimed at providing continuous health insurance coverage, reducing the cost of healthcare, and preventing security breaches in healthcare. Violating HIPAA results in penalties of up to $1.5 million, depending on the violation tier.
Regarding digital data security, HIPAA defines strict requirements for:
- Identity and access management
- Emergency access to PHI
- Authorization procedures
- Data integrity controls
- Data transmission security
- User and data monitoring
- Tools to conduct an audit of activities with PHI
All of those requirements have to be considered when developing an MDM solution. Most data protection laws have similar demands, but it’s good practice to research relevant legislation in your country.
Ideally, the functionality of an MDM solution should be unique for each organization, as each organization has unique needs. However, there’s a set of features required by most IT regulations and that are considered best practices. We’ve outlined a list of must-have features from industry requirements for an MDM healthcare solution.
Multi-factor authentication (MFA). MFA is an access control tool that uses a combination of two out of three factors to authenticate a user: knowledge (e.g. a password), possession (e.g. a smartphone), and biometric parameters (e.g. a fingerprint). Implementing MFA ensures you know who has logged in to your system.
Device identification. During identification, an MDM solution has to ensure that a device has not been modified, jailbroken, or rooted and track the mobile device’s vendor, firmware version, operating system, and patch level.
Local encryption. All healthcare data inside your system must be encrypted. This measure will protect data even if a device is hacked or stolen. It’s best to encrypt data on the device instead of on the server or in the cloud.
Blocking of unnecessary connections. The fewer open ports a device has, the fewer chances for hackers to exploit them. Make sure Bluetooth, infrared ports, GPS, and microphones are turned off if they aren’t needed. Also, forbid connecting to untrusted networks, devices, and applications.
Internal application storage. There should be a single trusted resource where employees can get applications. The rights to delete, edit, or add new data to this resource should be granted only to authorized administrators. This way, hackers can’t swap your application with their version of it.
Containerization. It’s good practice to keep sensitive information containerized on mobile devices. An MDM solution must remotely sanitize mobile containers without impacting personal information and enforce the access policy to ensure no unapproved applications or files can enter or reside in the container.
Data transfer limits. Restrict the copying or sending of sensitive data and the downloading of files from untrusted sources. This prevents employees from accidentally opening ransomware files or sending PHI to the wrong person.
Data backup. Data created and edited on a device has to be backed up according to an organization’s cybersecurity policies. An MDM solution should do this automatically. Also, this measure helps to restore data from a lost or stolen device.
Data sanitization. An MDM solution has to be equipped with tools for automatic data deletion or removal. This is required when data is no longer needed or relevant, when a company needs to dispose of a device, or when a device is compromised.
Remote device management. One of the key reasons for using mobile devices is mobility itself. An MDM solution should enforce the same level of control for devices inside and outside of a corporate network. This helps to secure access for remote employees and third-party vendors as well as to locate or shut down a stolen device.
Remote data management. This feature is related to the previous. Managing data remotely should include automatic and periodic backups, wiping data, etc.
Software update management. Keeping device software up to date and applying all patches is important for data protection. Your MDM solution should allow you to centrally control and audit updates by setting a local system policy for a device.
Support for multiple platforms. A BYOD policy allows employees to use all sorts of devices. That’s why an MDM solution should support all major operating systems and be undemanding on hardware. You can ensure this support through cross-platform testing.
Mobile devices are changing all major industries, and healthcare is no exception. Such devices speed up work and make employees more productive. However, healthcare organizations store a lot of extremely sensitive information and should consider protection measures before including mobile devices in their workflow.
An MDM system helps to mitigate the threats of employees’ personal devices. With such features as MFA, remote data and device management, and encryption, you’ll achieve visibility into any action on corporate and private devices. Also, with MDM, you can implement a BYOD policy in a safe manner.
Developing such a solution for healthcare is tricky because of the high demands for healthcare mobile device privacy and security and standards of data protection. At Apriorit, we have vast experience developing mobile applications and data management systems that comply with IT standards and provide a high level of data security. If you have a project in mind, feel free to contact us!