The National Cybersecurity Center of Excellence (NCCoE) at NIST has released a draft of its first guide on how to make mobile devices more secure to protect patient information.
The guide, "Securing Electronic Health Records on Mobile Devices," provides critical background but doesn’t address some key aspects to device security, several experts tell Healthcare Dive. They characterize it as a highly technical guide that will be helpful for upper-level IT professionals, but note that many organizations lack access to such expertise, and that the guide fails to take into account the behavior of the end-user.
“It’s a step in the right direction. Any guidance is helpful. Unfortunately, from our perspective, I consider it to be incomplete,” says Harjot Sidhu, VP of Consulting at Vox Mobile.
Here is a rundown on the feedback provided to Healthcare Dive on the guide:
“The NIST guide is actually a great start,” says Kunal Rupani, principal product manager at Accellion. “It’s a how-to and best practices guide for CIOs, CISOs and security engineers who are designing a solution and building the infrastructure for collaboration and content sharing in their organization.”
Sidhu at Vox suggests the guide is very strong in its focus on several areas including network and LAN security, encryption, Defense in Depth strategy and multi-factor authentication.
Cameron Camp, security researcher at ESET, adds that the guide will serve as a reference that may help organizations understand how they stand up against a plausible guideline.
Given that the target audience for the guide is technical staff, “I don’t fault them on the lack of policy and procedures because that may fall into another realm of the organization,” Vox’s Sidhu says.
However, he suggests the need to incorporate policy discussions on topics such as how to respond when a device is lost (including internal procedures and instructions to users); what devices should be allowed (for example, disallowing jailbroken devices or Androids from unapproved manufacturers); and containerization of information for devices being used for both work and personal use.
“If it’s specifically about mobile device security you need to get a little deeper in terms of recommendations,” Sidhu says.
Security in general needs to be thought of as a holistic problem, adds Accellion’s Rupani.
“The way you design your infrastructure, which this document talks about, is of utmost importance… but a lot of security issues are coming from mobile devices and users within the organization,” he says.
Lack of network discussion
The NIST guide is very specific to securing communication between a mobile device and the EMR in a particular WiFi environment, Sidhu says. However, “If you’re using an iPhone away from the hospital, on a Verizon or AT&T network, they don’t touch on that at all, and that will be an increasing part an individual’s day-to-day activity."
“They need to look at the actual behavior of the end users in terms of where they are and where they go," Sidhu adds. "Much of the discussion in the guide is invalid if an employee is trying to connect from the outside world.”
Lack of attention to apps
Numerous experts have noted that the guide fails to address the use of apps on mobile devices, assuming users will input information directly into an EMR via a web interface.
“They’re looking at securing the communication from a browser, and I don’t feel that that’s very realistic,” Sidhu says.
He suggests users are more likely to use an EMR app to input information, or to copy and paste information from other tools such as emails, voice to text features, and note apps.
“They didn’t address those more realistic scenarios of what a doctor’s going to do,” he says.
As Sam Rehman, CTO of Arxan Technologies, puts it, mobile devices are “at the mercy of the applications that operate them.”
He recommends that the guidelines include a dedicated focus on application self-protection as a way to minimize threats that can result from application tampering and malicious attacks.
The need for guidance is clear. A February 2015 report from IBM and the Ponemon Institute found significant flaws in how healthcare companies are developing and securing mobile apps, and showed that 50% of companies provide no budget to secure the mobile apps they build for customers.
Affordability and accessibility
As noted by Nick Merkin, CEO of Compliagent, the guide is designed primarily for use by “security engineers and IT professionals” – or organizations with access to those types of experts. However, he writes, “I would love to see at least part of the guide targeted to smaller healthcare organizations with realistic spending constraints.”
At the same time, Cigital Senior Security Consultant Dan Lyon suggests the guide may indeed help fill the gap in cybersecurity expertise at healthcare organizations, writing, “This guide may help some organizations more efficiently analyze and reduce the risks involved with mobile devices through commonly available tools.”
Is the guidance realistic?
Cigital’s Lyon adds that one of the challenges with this type of effort is that the underlying technologies can change rapidly, meaning that “by the next revision of Android or iOS, some of the same guidance may not apply.” He writes that the guide has addressed this through a risk traceability matrix that will enable continued analysis under new revisions of technology.
A related challenge is that people switch devices – a lot, says Vox’s Sidhu.
Every time a device is lost, stolen, damaged or upgraded, you have to set it up again, he says—and with common arrangements such as two-year plans, that could mean that upwards of 50% of an organization’s people are switching devices on an annual basis.
“And the how-to guide has seven pages on set-up for the device itself,” Sidhu says. “If 50% of your workforce is switching devices on an annual basis and you’ve got seven pages of set up, you need to be prepared for that.”