Would you want strangers to see your private medical information? Although it’s not widely discussed, having healthcare documents exposed is like having your password sent out into the world, except with a password, things can still be recovered. Your medical records are more personal and compromising than someone leaking an embarrassing photo of you in a hospital gown and blowing it up on the jumbotron at an ice hockey game.
What’s strange about this, though, is that most people are not really bothered about sharing data through email or via unsecured mobile devices that are about as leak-proof as a kitchen colander. This may be okay when turning over your email, name, and phone number for a free frozen yogurt coupon, but when using a telehealth service? That’s madder than King Lear.
In much of the developed world and (coincidentally) hospitals in rural India, devices are provided to doctors by the hospital they work for. This could mean tablets used to harvest proprietary patient information or do telehealth calls, or the smartphones doctors use to conduct business and receive urgent hospital pages like in TV shows like Grey’s Anatomy. I’ve never worked in a hospital, but I assume they have a secure paging smartphone app to replace the 1990s style beepers these days.
On your tablet, you need a basic firewall and a VPN installed to keep the fundamental levels of security required for HIPAA compliance. This falls within the remit of the IT department because doctors probably don’t have time to figure out enterprise cybersecurity after 12 years of medical school.
Bad actors know that doctors might be wholly dependent on their IT network to keep them safe, and may not be extremely “cyber aware” when they’re doing things like defibrillating the patient being pulled from the helicopter, so they will try to exploit as many things as they can, whenever they can.
A robust endpoint management solution can help manage and monitor multiple devices across any size organization. HIPAA compliances mandates hospitals utilize such a solution in order to secure the data they collect, so picking the right one is crucial.
Telehealth and other vulnerabilities
Consider a situation in which the patient is old or infirm, and the hospital provides a secure device to the healthcare home they live in so that medical professionals can help coordinate a remote doctor/patient liaison.
Increasingly, care homes are switching to telehealth solutions to allow caregivers to let their patients speak with their doctors for weekly or periodic consultations. Where things get sticky (lots of things can get sticky in care homes) is how there usually aren’t enough devices for the number of patients under care, so multiple devices collecting everyone’s data end up circulating throughout the home.
The entire patient record and history of everyone in the care home can be accessed through these devices, so the chances of stealing information and identity theft run quite high. Unified Endpoint Management solutions (UEMs) can be used to make sure both parties (the hospital and the care home) are using only the secure and necessary applications required for their work rather than any other method of communication. This can be achieved by blacklisting and whitelisting applications by turning the device into a kiosk mode that is for work only.
People steal things sometimes
This happens more frequently than you would like to believe. It’s common everywhere for devices to be issued to medical workers who go out into the field to check on patients, and sometimes those devices disappear. There are a lot of situations in which the fieldworker’s device is stolen by the patients too. UEMs provide location tracking, which means these devices can be accounted for.
Also, the hospitals can check up on the location of their devices to see if the people they’ve sent out are actually going to the homes of the people they’ve been assigned to visit and not doing something else entirely.
Hospitals need to track their devices so they can create reports on how long field workers are spending at patients’ houses in order to optimize the efficiency of their operations and make sure the best medical workers for the job are going to the best geographic locations. If a device is lost or stolen, a UEM will allow the hospital to remotely wipe the device if needed.
Preventing lazy side-hustles
UEMs can restrict the copy/pasting function of devices and can disallow users from connecting their USB devices to transfer data. They can also limit the copying of files outright. This is great news because insurance companies will pay buckets of cash for medical data.
Having the UEM in place on hospital healthcare worker’s devices prevents moneyed breaches facilitated by side-hustling hospital employees. Even though a third of healthcare breaches are caused by preventable human error, it’s unknown how much medical data is leaked per year for profit.
Consider this the next time a celebrity ends up in the hospital. None of the staff, doctors, or nurses are allowed to say anything to the rabble of media waiting around outside, but nonetheless, details still inevitably emerge. A UEM could prevent these kinds of leaks from going out on hospital devices.
Organizations can configure their email to where no other Google/Outlook accounts can be logged into the device other than the proprietary ones, and app management can be used to prevent blacklisted apps that hoover-up data for the Chinese government from being downloaded.
The bottom line
In today’s digital privacy landscape, CISOs for healthcare providers and with healthcare groups need to select an endpoint management solution that will allow their end-users to safely work with proprietary patient information without the risk of a data leak.