Healthcare organizations use mobile devices to facilitate communication among doctors, patients, and staff, provide remote services, remotely monitor patients’ health, work with documents, etc. Transferring bureaucratic activities to a smartphone is a great way to increase the efficiency and quality of healthcare services. But using mobile devices, especially personal ones, comes with a lot of security, usability, and compliance challenges.
A mobile device management (MDM) solution can help to protect an organization’s security perimeter and sensitive data. In this article, we discuss the major demands of MDM software in healthcare and the features required of an MDM application. This post will be useful for mobile application developers and healthcare professionals who want to know more about the nuances of building an MDM solution.
Mobile device management, or MDM, is a system of applications, frameworks, and corporate policies that regulate the use of mobile devices (laptops, smartphones, tablets). MDM provides an additional level of security, monitoring, management, and support to both corporate and private devices while making the work environment more flexible and comfortable for employees. We’ve covered a typical MDM architecture and the process of developing MDM software in a previous post.
MDM became especially important alongside the popularization of bring your own device (BYOD) policies. These policies allow employees to use personal devices for work and are convenient both for employees and companies. For employees, it’s more comfortable to work with a single device instead of two (personal and corporate). And employees using personal devices are usually more productive. Additionally, companies that implement BYOD policies lower costs by not having to purchase corporate devices.
On the other hand, BYOD brings a lot of security issues. Private devices have access to sensitive corporate data and resources but aren’t as secure as corporate ones. This makes them an easy target for hackers. Moreover, an employee can sell or lose a device, share it with somebody. In all of these cases, outsiders will gain access to sensitive data.
When implemented correctly, an MDM solution protects a company’s IT environment from these threats. Moreover, it brings the following benefits:
- Secures mobile devices. A basic MDM solution should be equipped with access management, encryption, remote management, and automatic log off (or shut off) features. All of that makes stealing data from a mobile device much more complex.
- Makes mobile management faster and easier. With a single solution to manage all corporate laptops, phones, and tablets, it’s much easier for an IT security officer or an IT auditor to assess the level of security in their organization.
- Manages devices remotely. If a device is lost or stolen, data saved on it is considered compromised. An MDM solution can wipe data or block a device remotely. Also, an MDM solution can control device updates, installed applications, and configurations.
- Enforces security policies. Meeting the requirements of corporate security environments is the responsibility of every employee. But in real life, some rules can be neglected because they slow down the work process, or simply are unclear. MDM solutions can enforce security policies regardless of employee opinions.
- Reduces costs for IT administration. The obvious cost reduction comes from enabling a BYOD policy. Also, an MDM solution speeds up and partially automates device management.
Healthcare organizations and MDM
In healthcare institutions, mobile devices are used to:
- Manage administrative tasks (appointments, doctors’ schedules, etc.)
- Provide quick access to medical records
- Improve communication between doctors, other medical personnel, and patients
- Reduce bureaucracy
According to the Verizon Mobile Security Index 2018, 35% of healthcare organizations suffered a data loss or downtime due to a security incident with a mobile device. Leaking protected health information (PHI) leads to severe compliance penalties and loss of reputation.
This makes the benefits of an MDM solution particularly important in healthcare due to the amount of sensitive data that can be collected, stored, and processed on mobile devices. Implementing an MDM solution is even recommended by the US Department of Health and Human Services in their HHS Policy for Mobile Devices and Removable Media.
The sensitive nature of protected patient data makes it critical to protect healthcare mobile devices from cyber threats. Let’s take a closer look at additional security challenges when developing MDM solutions for healthcare applications.
Security challenges of building a healthcare MDM solution
Mobile device security is one of the biggest concerns in healthcare. Among IT decision-makers in the healthcare industry, 49% believe their devices need better security according to a 2018 report by Jamf titled The Impact of Mobile Devices on Hospital Patient Satisfaction.
Healthcare organizations are a desirable target for hackers: more than 41 million health records were stolen or leaked during 2019. Furthermore, data breaches in healthcare are among the most expensive, cost an average of $408 per record. The average among other industries is $148 per record, according to the 2019 Cost of a Data Breach Report by the Ponemon Institute. Therefore, it’s vital to protect health information on mobile devices.
Here are the top concerns about PHI security on mobile devices:
- Physical security. Mobile devices are easier to steal or lose than computers and servers. Hackers may obtain health information from a stolen device or gain access to an organization’s network. Also, there’s a risk of improper disposal of retired devices, which should be wiped or destroyed. Instead, these devices sometimes are sold or used as personal devices.
- Data abuse and misuse. According to the 2019 Data Breach Investigation Report by Verizon, 59% of data breaches in healthcare were caused by internal actors. Health information is as valuable on the black market as financial information, which may motivate employees to sell data or leak it on purpose.
- Employee mistakes. More than half of healthcare data breaches were unintentional, states the same Verizon report. Doctors have to perform a lot of bureaucratic procedures that require time and high accuracy. This may lead to mistakes and inadvertent data leaks.
- Intentionally compromised devices. BYOD policies are common in healthcare organizations. But it’s not possible to completely ensure the security of a user’s device. For example, rooting or jailbreaking might open a backdoor for hackers.
- Regulatory compliance. In healthcare, there are strict requirements for the security of IT solutions that work with PHI. Complying with these requirements is a must for any healthcare organization. For example, US companies have to comply with the Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act, and the HHS Policy for Mobile Devices and Removable Media. In the UK, companies have to comply with the Data Protection Act. And in the EU, they have to comply with the GDPR.