Ransomware attacks have been all over the news recently. The malware variant has crippled healthcare businesses, from small and midsize medical practices to large hospital systems, holding their electronic data and IT systems hostage until they pay off their attackers or – if they’re well prepared – can restore a viable backup. And as my colleague Mark Wilson described earlier this week, mobile devices could become the next entry point for ransomware attacks against healthcare institutions.
(This post was co-written with BlackBerry security expert Jay Barbour)
Small and midsize organizations are especially vulnerable to ransomware attacks because they often have fewer IT resources than big companies. They may not be strictly following best practices or doing regular data backups of all critical servers. They may also have a harder time controlling their environment and ensuring employees follow their anti-phishing and other training to prevent such malware from taking root.
The truth, though as recent ransomware attacks on major medical systems show, is few are invulnerable to malware.
Good news: from a mobility perspective, ransomware isn’t your biggest issue. Bad news: there are a lot of other security risks that you need to get a grip on, and mobility could become the next entry point for ransomware and an exfiltration point for sensitive data, including personal health information (PHI). Here are some ways to tighten your mobile healthcare security and reduce your risk.
- Prevent data leakage off the devices. PHI and other identity data is leaking off mobile devices, and is highly problematic on devices without workspace containerization. Without containers, personal and sensitive data inevitably commingle in spite of security awareness training and good intentions. Consumer cloud file-sharing services are easy to use on mobile devices, and unless you restrict them, employees will use them. There are also many cases of “personal” applications collecting private data (possibly including PHI) from devices and sending it to outside parties.
- Make sure data is properly encrypted at rest. BYOD makes employees happy and cuts costs versus supplying everyone with a work device. But it also opens significant risk; subpar data encryption implementations are everywhere with Android. Also, forcing authentication requirements onto a device to protect PHI can be an issue for usability: users will complain that they have to enter strong passwords just for personal use. Work containers solve this usability issue by requiring only workspace authentication – personal use does not require a password. Also, work containers provide “on-the-top,” strong data-at-rest encryption, independent of whatever OS is running underneath.
- Don’t allow mobile devices to be the entry point for malware. With personally owned devices, you can’t be sure that people are doing their security updates or installing only reputable apps. Skycure recently looked at devices used in healthcare and found that 14% of them weren’t password protected, 11% were using outdated operating systems and 43% were at moderate or high risk for data exposure. Furthermore, some healthcare environments are relying on ActiveSync to manage devices, which is problematic for trying to maintain baseline OS versions and patching. Unpatched devices mean potential exposure to hundreds of vulnerabilities that are ideal entry points for malware. Jailbroken/rooted devices are also a common way to undermine device security. Containers and MDM solutions typically offer rigorous jailbreak detection tools to manage this risk
- Have a solid notification plan in place so you’re ready if malware enters your system. We commonly think of crisis communications when we need to notify people about natural disasters, violence or other life-threatening events, but crisis communications systems like the one offered by BlackBerry subsidiary AtHoc can pull double-duty to send secure messages with instructions to employees to reduce the damage if your IT systems are hacked. (It’s also a great tool for disaster and crisis management, keeping all stakeholders up to date on risk and response.)
Admittedly, these are tough things to control when you’re dealing with personally owned devices. The common thread to solving all of these security problems, and a whole bunch more, is using a container to separate work and personal use. By locking work data inside a container, risky behavior associated with personal device use doesn’t allow malware to threaten your network. It also encrypts business data in transit and at rest, without the usability problems that people otherwise complain about.
Last fall, BlackBerry acquired Good Technology, creating the largest and most capable enterprise mobility management (EMM) provider on the market. Good Container is both affordable and secure by default, and the user experience is seamless, eliminating many of the usability complaints from other methods.
But the bottom line for you and your healthcare organization is this: This risks are too great to leave mobile security to chance, and you and your users no longer have an excuse for not using best practices to protect PHI and other personal data on mobile devices. BlackBerry has you covered, with a full suite of containerization, secure file sharing, crisis communications and enterprise mobility management solutions, not to mention the knowledge, experience and solutions your hospital depends on to manage and protect your security.
Mobility gives healthcare organizations a way to efficiently deliver the best quality patient care. However, with so many issues to consider, how do decision makers create a solid game plan for adopting secure mobility in healthcare? The BlackBerry Guide to Mobile Healthcare is a great start. Get your free copy, just by filling out the form on this page.
Security standards around connected medical devices are woefully lacking, but that’s about to change. Don’t miss the unveiling of DTSec, the first consensus cybersecurity standard for medical devices with security and assurance requirements, by BlackBerry Chief Security Officer David Kleidermacher. It’ll happen May 23-24 at MEDSec 2016, the first international conference covering security and privacy for the Internet of Medical Things. Learn more and register today at MEDSecMeeting.org.