Innovative healthcare delivery powered by mobile technology is just what the doctor ordered. In 1930, 40% of physician visits happened in the patient’s home, but by 1980, only 1% of appointments were house calls. Many factors are now driving an upswing in mobile, remote and home health care: an aging population, technology advances, ACA-related insurance initiatives and overburdened healthcare facilities are chief among them. In this guest post, Dan Ross, CEO of a company focused on endpoint visibility and remediation, details the security dangers this presents and how to keep your hospital safe.
Increasing population pressures and resource constraints compel providers to find efficient ways to treat more patients per day, send healthcare workers out to homebound and disabled patients, and monitor patients with chronic conditions. On the other end of the spectrum, younger patients, especially Millennial professionals in urban settings, increasingly want to access routine health care the way they do everything else – online and as self-service as possible.
Mobile technology, ubiquitous connectivity and portable medical devices have made telemedicine and remote monitoring possible and cost-effective in recent years, but have also introduced a heightened level of risk. Patient data (PHI) is a lucrative target for hackers due to its sensitive and detailed nature. Critical systems and devices, especially at hospitals, are increasingly held hostage by means of ransomware – cyber criminals know victims will pay up when lives and public safety are on the line.
Healthcare workers are on the move
As the sophistication and agility of global cybercrime organizations converges with mobile workforce trends, the threat surface in health care increases exponentially. A recent BI Intelligence report claims that in five years mobile workers will make up 72% of the total US workforce. A 2015 IDC report names healthcare workers as the largest segment (18%) of the overall mobile workforce. Healthcare entities and their partners have to address the proliferating security challenges quickly and completely – patient health and safety are at stake. Further, failing to realize the potential of innovations like telemedicine due to lack of security and trust would be a tragedy.
Mobile endpoint management is of paramount importance in the healthcare industry. Affordable, user-friendly mobile devices, connected medical devices, EHR ecosystems, cloud services, wearable devices and healthcare apps mean more to patch, configure and monitor. Virtualization and mobility blur the network perimeter, rendering traditional security approaches insufficient. Cybercriminals use clever, intricate social engineering schemes to undermine security solutions, turning human error into their secret weapon. Passwords are nearly useless, and users have remarkably low tolerance for security features that inhibit productivity.
Visibility, defense, risk reduction
Endpoint integrity – including apps, configuration, patching, anti-virus – has to be continually monitored and remediated. There are three important components to endpoint management: visibility, security posture and defense, and risk reduction.
Visibility means you can determine what is running (or not running) on each endpoint. For instance, HIPAA regulations require that machines containing protected data can’t run unapproved software, so you need a way to see into those devices, no matter where they are.
Mobile workers and distributed infrastructure make physical device management logistically challenging. With potent malware exploit kits being sold on the dark web, speed-to-detection is essential to preventing breaches. Endpoint management strengthens security posture and defends against attacks by continuously scanning for and automatically remediating security risks.
The most effective protection is prevention through back-to-basics risk reduction: ensuring on a continuous basis that antivirus software is updated, patches are installed, and configurations match gold standards and comply with internal policies and external regulations. Staying on top of gaps and vulnerabilities makes your devices less accessible to crimeware and mitigates the chance of a damaging breach.
Breache, HIPAA violations under heightened scrutiny
The alarming rise of ransomware, APTs and mobile malware has led to a sharp increase in healthcare breaches. Consequently, HIPAA-related oversight has intensified. While the Office of Civil Rights (OCR) has investigated and publicized hundreds of significant breaches over the past several years, the agency recently announced that they will begin focusing on breaches affecting fewer than 500 people (including those at business associates), compelling smaller companies to ensure compliance through improved endpoint management. The OCR’s latest guidance also states that ransomware attacks will be categorized as breaches. Healthcare providers and third parties found to be in violation of HIPAA face significant penalties, public investigations, and loss of trust on the part of patients and partners.
Endpoint management as mobile workforce solution
To protect patient information and critical systems, healthcare entities have to monitor and defend a dispersed network of highly exposed, moving targets. Without a comprehensive mobile workforce solution, even the most fundamental security measures are nearly impossible to validate and enforce.
To reduce the risk of damaging breaches we have to enable visibility before, during and after an attack. Agentless solutions represent an important advance in endpoint management; being able to inventory, scan and remediate every device on the network even when it isn’t feasible to install agents on every machine makes essential security functions much more practical for all types of businesses. As the lines between on-premise and cloud, internal and external networks, work and personal devices continue to blur, we need a solution that extends all the way out to mobile workers and remote services.
Hybrid solutions that rely on a complementary combination of agentless capabilities and agent-based control features go one step further in addressing the challenges of the mobile workforce. The information continuously collected from agentless inspection engines and deployed agents can be combined into a single holistic view of risk, vulnerability and compliance.
The scheduling of predefined inspections – including CVE scans and assessments, unauthorized app discovery, Windows patch validation and agent validation – can be customized to the desired frequency and timing. User-defined inspections allow companies to check endpoints for risks particular to their business or compliance program. The latest patches for high-risk apps like web browsers and plug-ins can be automatically deployed, markedly limiting attackers’ window of opportunity to exploit known vulnerabilities. The close monitoring capabilities of hybrid endpoint solutions are critically important to healthcare companies protecting PHI on laptops being used for mobile clinics, home visits, etc.
For healthcare IT teams, the heightened situational awareness provided by a hybrid endpoint management solution is quickly becoming indispensable. They can instantly survey the integrity of endpoints, proactively identify and close gaps, and continually enforce security policy. Being able to do all this without disrupting the productivity or flexibility of mobile workers helps maintain a sustainable balance between opportunity and risk.
The success of healthcare innovations like telemedicine, home health care, and remote monitoring depends on the trustworthiness and effectiveness of mobile technology. Without efficient endpoint management, these much-needed healthcare delivery options won’t gain enough traction to become an integral part of our healthcare system. As the elderly population surges and provider resources remain overtaxed, we can’t afford to pass up the flexibility, reach and improved treatment promised by mobile healthcare technology.
As CEO, Dan Ross is responsible for strategic direction and day-to-day global management at Promisec, a company focused on endpoint visibility and remediation, empowering organizations to avoid threats and disarm attacks that can lead to unwanted headlines and penalties.