By: Barry J. Ewell / Honeywell
Healthcare organizations are deploying mobile devices in ever-increasing numbers to improve patient experience and clinician/staff productivity. The use of mobile devices by healthcare professionals has transformed many aspects of the healthcare setting and medical software applications’ growth.
Healthcare providers increasingly use mobile devices to store, process and transmit patient information. This information is especially vulnerable to attack. When health information is stolen, inappropriately made public, or altered, healthcare organizations can face penalties and lose consumer trust, and patient care and safety may be compromised. 1
According to the US Department of Health and Human Services2, anyone with physical access to such devices and media, including malicious actors, potentially has the ability to change configurations, install malicious programs, change information, or access sensitive information — any of these actions has the potential to adversely affect the confidentiality, integrity, or availability of protected health information (PHI).
The federal agency went on to stress that policies and procedures are required by HIPAA to limit physical access to mobile devices. Healthcare administrators are also needed to track the movement of these devices around healthcare facilities. Healthcare organizations can’t keep pace with the rapid increase in mobile use for healthcare regarding their security knowledge and policies. The consequences can be costly.
Mobile Devices are a Potential Minefield of HIPAA Violations. While improved productivity and the clinician experience are often stated as the main reasons for implementing a mobile communications solution, security and HIPAA compliance are top priorities when vetting providers.3 In a HIMSS-Honeywell survey respondents 94% listed security and compliance as the most important factor when considering vendors. 10
Even with secure mobile devices, there is substantial potential for users to violate HIPPA rules or company policies. Without the necessary controls, devices can be compromised, and the electronic Protected Health Information (ePHI) stored on them exposed. Consumer-grade mobile devices (i.e., smartphones, tablets, and laptops) are the target of cybercriminals because they are viewed as easy entry points into the healthcare network.
The issue goes beyond HIPAA requirements. PHI, medical devices and other data are vulnerable to cyberattacks due to both outdated clinical technology and the use of consumer-grade devices. These devices often lack the lack robust security controls, used to connect to networks via public Wi-Fi, and there is considerable potential for theft or loss.4
According to Gartner5, 80% of healthcare delivery organizations (HDOs) will have been the target of a cyberattack through a mobile device, 20% of those will originate from consumer-grade mobile devices.
External vs. Internal Cyber Security Attack
At Honeywell, we have seen an escalation of our customers’ cyberattacks across all sizes worldwide. Cybersecurity attacks can come from external and internal sources. Cybersecurity is about protecting your company’s valuable information, your customer’s information, and your reputation and brand by preventing security breaches.
Cybercriminals use computers and networks to commit crimes. Their technical skills and knowledge range from being able to write “script kiddies” who use others’ malicious code, to those that are very talented hackers. Their motives for committing the crime range from monetary gain to the desire for just having fun. 6 Hackers understand how people work and will find a way to hack into your system if they try long enough. Once the cybercriminal gains access, they stay inside your system unnoticed for some time. Hackers may never be found or even discovered until it’s too late. According to Gartner, “More than 50% of breaches are undetected for multiple months, which can lead to unrecoverable data corruption.” 7 Let’s take a closer look at external vs. internal attack risks.
External cybersecurity risk. Imagine your network receiving zero-day or brute force password attack that focuses on looking for a way into your system a thousand times a second until gaining access. Attacks can come in the form of viruses and methods such as:
· Malware. Software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system.
· Malvertising. The use of online advertising to spread malware. It typically involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages.
· Phishing and spear phishing. A phishing attack is where hackers send fraudulent emails purporting to be from reputable companies to induce individuals to reveal personal information, such as passwords and credit card numbers. Spear phishing is an email or electronic communications scam targeted towards a specific individual, organization or business.
· DDoS (distributed denial-of-service) attacks. A malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. This takes place when a massive number of machines are directed to attack the target with traffic. These machines are typically infected with viruses controlled by one overall attacker.
· Session hijacking. This is an attack where a user session is taken over by an attacker. A session starts when you log into a service, for example, your banking application, and ends when you log out. The cybercriminal replaces their IP address for the client’s, and the server continues the session. During this attack, the server believes it is still communicating with the trusted client.
· Ransomware. Malicious software that blocks you from accessing your own data. The digital extortionists encrypt the files on your system and add extensions to the attacked data and hold it “hostage” until the demanded ransom is paid. Ransomware is often hidden in downloads made to appear like video clips or games.
· Drive-by attack. Malicious scripts spread malware around the web. Drive-by downloads happen most commonly on web pages, pop-ups and emails. Cyberhackers look for insecure websites and plant scripts in the code on one of the pages. The malicious scripts, for example, can install malware on the computer of a web page visitor or redirect the visitor to a website that is controlled by the cybercriminal.
These are just a few of the viruses and methods cyber criminals/hackers can use to externally gain access to your site, software, or network.
Internal cybersecurity risk. Internal risk stems from employees. Most of the time is purely by accident unbeknownst to the worker. The cybercriminal is focused on obtaining an employee or admin credentials, allowing them to move inside the network with complete access to the system. Now your internal data is exposed, such as:
· Trade secrets and intellectual property
· Regulated data
· Sensitive data
· Information about products and internal research
· Financial and personal staff information
· Source code
Even if your devices only connect to an internal server and don’t reach the internet, you need to be concerned. There have been more breaches “inside four walls” than out. In 2018, 59% of attacks were not through the internet. Vulnerabilities may be exploited by a breach elsewhere in the network and attack unprotected devices from the “inside out.”
Most common causes of malicious data breaches. Malicious attacks were the most numerous and were primarily due to cloud misconfigurations and compromised credentials, with each accounting for 19% of breaches. Vulnerabilities in third-party software were cited as the breach cause in 16% of incidents, following by phishing (14%), physical security compromises (10%), malicious insiders (7%), system errors and other misconfigurations (6%), and business email compromise attacks (5%). Breaches involving compromised credentials were the costliest, followed by breaches due to vulnerabilities in third-party software and cloud misconfigurations.8
In reality, many hidden expenses must be taken into account, such as reputational damage, customer turnover, and operational costs. Knowing where the costs lie and how to reduce them can help companies invest their resources more strategically and lower the huge financial risks at stake.9
Healthcare Data Breaches are the Costliest. According to IBM Security’s 2020 report10, healthcare data breaches are the costliest. The cost of an average healthcare data breach is $7.13 million globally, with an average cost of $146 per record. In the United States, the average cost for a breach was $8.6 million or $175 per record. To put it in perspective, a breach of 1 million to 10 million records cost an average of $50 million, breaches of 10 million to 20 million records cost an average of $176 million, and a breach of 50 million records was calculated to cost $392 million to resolve.
Globally it took 280 days to detect and contain a breach and 315 days to detect and contain a malicious attack. In the United States, it took an average of 186 days to identify a data breach and 51 days to contain the attack.10
Enterprise mobility solutions are required. It is common for IT to manage a portfolio healthcare mobile device across multiple facilities, associations, professional groups and departments. Because of all the distinct networks, managing IT issues centrally and sharing protected health information (PHI) is challenging. You need a mobility solution with advanced security.
Fortunately, enterprise mobility solutions come with powerful tools that enable IT departments to manage apps, protect lost or stolen devices and offload sensitive business and patient data to a server. Users don’t risk carrying that data with them if the device leaves the hospital.
When you choose a healthcare-grade mobile device, you gain an enterprise mobility solutions platform and a complement of features that protect the healthcare data you don’t receive with a consumer-grade device. For example, with Honeywell, you can expect:
· FIPS 140-2 Level 1 security requirements to protect patient data.
· AES256 encryption for data in motion and at rest—the data is protected whether it is stored on the device, on a media card in the device or traveling over the wireless LAN.
· Remote lock and wipe for stolen or lost devices.
· Automatic locking of idle devices.
· IT professionals manage upgrades through a centralized system, which enhances security and prevents network slowdowns. IT will have full control over operating system (OS) updates and making sure that OS upgrades meet requirements for security and application compatibility.
· Healthcare organizations designate administrator privileges to install software and update operating systems. Designating administrative privileges to a select few individuals helps prevent devices from falling victim to phishing scams and hacking.
· Multi-user log-on, which enables a single pool of mobile devices to serve a workforce. Each worker will have their log-in credentials and only be allowed to access the data they need.
· Application permissions to prevent users from downloading unauthorized applications. This can prevent security weaknesses that open the healthcare enterprise’s uploading of sensitive data to unauthorized servers.
· The capability to restrict user and application access to the hardware (e.g., integrated camera, GPS and Bluetooth), including a built-in browser or an email client.
· The capability to remove OS features that can access servers external of the healthcare network (e.g., maps, email applications) that come loaded into consumer-grade devices. These types of connections pose a high risk for security breaches.
· Help eliminate theft with centralized management and locationing technologies that allow IT to monitor the location of all of your mobile computers.
· Because of strong relationships with leading operating system providers, Honeywell can add extra layers and benefits regarding security needed for healthcare to keep patient data safe.
How Honeywell Strengthens Device Security
Honeywell has a deep institutional and cultural focus on security across multiple domains. Across Honeywell, we invest over $50 million annually in cybersecurity and employ 300+ dedicated security professionals who are focused on protecting our customers.
We design security into our products, policies, and processes. The best way to ensure that you have a secure device is to make sure you are using the most recent version of the operating system and up-to-date security patches. We provide a regular security patch cadence for Mobility Edge devices of at least every 90 days and often as frequently as every 30 days. OS version upgrades are provided annually.
Our security built-in, design-to-delivery process has a strong emphasis on programming security into products to anticipate and mitigate risk. We do this by embedding deep domain knowledge of industry-leading security practices throughout our entire design and development process to ensure our solutions are as secure as possible from the start. We also make our solutions as free of vulnerabilities to attack as possible through such measures as continuous testing, authentication safeguards, and adherence to best programming practices. And, this isn’t anything new for Honeywell. We have had over 1,000 global engagements since 2006 and are the provider of managed security services for over 350 industrial sites. To continue our focus and lead the way in the industry, we put in place the industry’s first Cybersecurity Risk Manager and developed strategic partnerships with leading cybersecurity product vendors.
Honeywell Mobility Edge Platform
Honeywell’s Mobility Edge™ delivers an innovative solution to these challenges.
Mobility Edge offers an integrated, repeatable, scalable approach to device management that is based on a common hardware and software platform. Designed for Android it delivers a unified platform on which all software solutions are based. Healthcare can develop and deploy faster while reducing development costs. This unified, dynamic platform for mobile computing is designed to:
• Accelerate Deployments. Validate once. Deploy everywhere. Faster, easier, and at lower cost. Enabling versatile out-of-the-box capabilities and a rapid provisioning suite, Mobility Edge expedites development, certification, setup, and training involving multiple form factors at once.
• Optimize Business Performance. Boost productivity and drive efficiency. Powerful, embedded tools across the platform drive faster data capture and secure, enhanced worker communications. The unified, intuitive experience facilitates user adoption and helps employees complete vital tasks.
• Extend Lifecycle. Forward compatible. Future-proof. Mobility Edge reduces TCO and minimizes headaches with an enterprise-wide approach to maintenance releases, and hardware designed to support ongoing upgrades to the operating system through Android 13 and extended support five years beyond that.
• Strengthen Security. Mobility Edge™ provides a unified, dynamic hardware-and-software platform with built-in security and the best available future security made possible through Android forward compatibly.
By providing a unified hardware and software platform with an agile approach, we can bring you more secure and reliable solutions across your operation.
The common platform provides for the efficient reuse of IT investment across multiple form factors both across the present fleet and over the future roadmap. It is accompanied by a common deployment toolset that speeds time-to-value and the Operational Intelligence cloud optimization and management platform that provides visibility into device location, condition and full-life maintenance history. All of the devices are supported by popular MDM solutions as well.
At Honeywell, we focus on helping you provide high-quality patient care and supporting you in your patient-centered approach. This includes the latest technology that is purpose-built for the clinical environment. Together, with our strong partnerships with healthcare leaders, we’re facilitating an ongoing technology evolution and redefining what’s possible for healthcare organizations of all shapes and sizes. We believe the most innovative technology knows how to stay out of your way, so you can focus on what’s most important – delivering the best-in-class care your patients expect.
Android is a trademark of Google, LLC.
1National Institute of Standards and Technology (NIST) and the National Cybersecurity Center of Excellence guide, Securing Electronic Records on Mobile Devices.
2US Departing of Health and Human Services: Office of Civil Rights1,
3Mobile Data Security and HIPAA Compliance
4 Source: Five Best Practices That Healthcare Provider CIOs Can Use to Reduce Mobile Device Security Risk, Gred Pessin, Published 20 September 2017.
6 Source: Securing End-of-Support Production Systems, Tony Harvey, Neil MacDonald, Sam Evans, Published 24 December 2019.
7IBM Security 2020 Cost of Data Breach Report Shows 10% Annual Increase in Healthcare Data Breach Costs
8IBM: The “hidden” costs of data breaches severely hurt businesses
9IBM Security 2020 Cost of Data Breach Report Shows 10% Annual Increase in Healthcare Data Breach Costs
10 Honeywell/HISS Survey