Make Mobile Secure
By Katie Wike, contributing writer
Mobile devices are difficult to regulate and secure, especially in a healthcare where sharing information could lead to HIPAA violations
The FDA released guidelines for mobile devices citing security as a main concern by writing, “Authentication and wireless encryption play vital roles in an effective wireless security scheme. Use of the latest up-to-date wireless encryption is encouraged.” FDA officials said at the time that greater levels of encryption and more security would ease providers’ worries.
Some are, however, still worried.
“In 2013, the Department of Homeland Security issued an alert on an emerging threat to healthcare and patient safety,” Mac McMillan, president and CEO of CynergisTek and chairman of the HIMSS Privacy and Security Policy Task Force, wrote for mHealthNews. “Those of us in healthcare, meanwhile, have known about this issue for more than a decade.
“I applaud the DHS and their effort to shine a bright light on a serious issue that does need to be addressed: Medical devices are not secure. They pose a threat to the networks to which they are attached and communicate with, and to the individuals who rely on them – in some cases for critical, life-sustaining purposes.”
McMillan notes the government has known about the problems associated with not securing mobile devices for years, writing, “The DHS alert came on the heels of a research project that found 300 devices from 40 different vendors vulnerable,” before asking, “So what are we doing about all of this scary stuff?”
McMillan explains the FDA has issued two guidance documents, “The first ... addressed pre-market submission considerations for medical device manufacturers, including features and controls that they should consider, and hopefully include, in their medical devices.” This includes strong passwords, encryption, and updated software.
“The second guidance dealt with radio frequency requirements for medical devices communicating wirelessly – again, things that a manufacturer should consider when designing and producing devices, such as frequency quality, wireless co-existence or resiliency around other wireless devices, security of wireless communications (think encryption), compatibility with other wireless devices and procedures for implementation and maintenance.”
InformationWeek present the results of its 2013 Mobile Security Survey in an infographic which echoes the concerns expressed by McMillan. According to the infographic, 45 percent of networks allow any user on as long as they agree to their policy - with no way to enforce those who violate it, and only 53 percent of networks require a password of four or more characters. Even more shocking, of the organizations that reported mobile security breaches in the last year:
- 45 percent had a mobile device containing enterprise data come up missing
- 11 percent have lost data requiring public disclosure
- 13 percent do not even enforce encryption on mobile devices
- 28 percent believe they are not subject to any regulations, a statement InformationWeek playfully calls denial
The number one excuse organizations cited for these issues? They are lacking the skills to manage encryption, followed by claims that costs are the biggest issue.
McMillan addresses those who are slow to adapt writing, “The question is, will 2014 mark a turning point in this situation? Will medical device manufacturers embrace the need to build more secure devices, or will the FDA, reluctantly or not, need to issue more new rules?”
Want to publish your opinion?