Unfortunately, mobile devices are a big risk factor that some healthcare agencies actively ignore. HealthITSecurity reported back in 2020 that 37 percent of surveyed organizations indicated that they sacrificed mobile security for the sake of efficiency. Here’s why, and what yours can do to avoid that temptation.
Healthcare Apps and the Cloud
Mobile devices are meant to make care coordination easier by storing patient data in healthcare apps and the cloud. However, many staff members claim they aren’t aware of how many apps their organizations use, much less how much security is afforded by those apps or the network connections they choose to run them on. Yet awareness doesn’t always equal compliance: sixty-five percent of healthcare leaders admitted to accessing work-related materials on public wireless networks, and nearly a quarter of them were openly violating their organizations’ security policies.
Suffice it to say, protection against a data breach is as much a matter of internal training and controls as it is the digital tools that are available to an agency’s IT. Consider implementing the following safeguards.
Establish a Formal Acceptable Use Policy (AUP)
This outlines what networks your mobile devices are allowed on, and the apps they’re permitted to install. This is relevant whether you purchase and provide these devices to your employees, or give them a Bring Your Own Device (BYOD) option. Make sure the networks that are available to your staff are secure through penetration testing, and restrict access to apps that haven’t been vetted. If devices are identified to be vulnerable or infected by malware, lock and isolate them. If any are reported lost or stolen, change app passwords and block any network access those devices may have had.
Implement a Zero Trust Policy
The concept of Zero Trust is that everyone is considered a potential security risk until verified — even internal users of the organization. In the event that a team member’s account is compromised, the responsible party only has access to that user’s information and cannot interfere with other portions of the network. This is achieved through multi-factor authentication, limiting user access to only the data their positions require, and maintaining an active log of all network activities.
While we mentioned above that some organizations do permit users to bring their own devices to work, this may overly complicate your data security. Devices that you issue directly to your staff will be easier to monitor and control what they can access, especially when they won’t be available for personal use on potentially unsecure networks outside of your office. The costs involved are far more reasonable than the revenue loss you could suffer from a ransomware attack.
If your team would like guidance on how to implement these kinds of cybersecurity measures, let us know. Click here to contact us for more information, or to schedule time for a call to discuss your specific needs.