Mobile devices have gone from optional to essential in healthcare. But as usage increases, so do security worries. Recent data showed that attacks against Android devices in healthcare have risen by 244 percent, posing new risks of operational disruption.

Dr. Sean Kelly, CMO and SVP of Customer Strategy at Imprivata, pointed out that the absence of comprehensive mobile device management strategies is to blame. While 92 percent of leaders surveyed in Imprivata’s State of Shared Mobile Report agree that mobile devices are vital to patient care, nearly half (44 percent) lack a policy to manage them, and 55 percent have no visibility into how they are being used.

Healthcare Innovation further discussed the findings with Dr. Sean Kelly, who is a practicing emergency physician in Boston.

Could you provide some background?

I see things from the frontline perspective as well as from the tech executive perspective. Imprivata is an identity and access management company, and we essentially help provide improved workflows, productivity, and efficiency, particularly in healthcare and other industries where there are complex workflows. But we also increase cybersecurity capabilities and compliance with privacy regulations like HIPAA and others.  

The report discussed attacks against Android devices. Could you talk more about these devices?

Every mobile device in healthcare is potentially valuable but also potentially risky. So, Androids and iOS of all kinds. That involves people bringing their own devices in, devices purchased and managed by enterprises and potentially shared and managed devices.

You might have a bank of devices that are at the hospital or the care center that are all charging up and being provisioned and secured, and then a nurse or other worker might come in and pick up a device for a shift for the whole day, and then do their work on that particular device.

Some of the value propositions and reasons mobile devices are attractive in healthcare are similar to those in our private and consumer lives; you have an amazing computer and power right in your pocket. With healthcare, it could be that you're looking up a patient's chart, you could be accessing labs or ordering things. You could be documenting data on there, like vital signs, medication administration, or physical exam findings. You may be responding to communications similar to like we do in our private lives.

That’s the clinical and operational value, that you can bring the workflow right to where the provider or the worker is, and that, just like in our private lives or consumer lives, can be very convenient if it's done properly. That is a big area where there can be pain points.

There are three major pillars of consideration. Pillar number one is usability, to make us all efficient and productive. Pillar number two is security, or privacy and compliance. If it's not secure, it's a big risk…it can be an inroad for ransomware attacks and other cybersecurity events. The third major pillar is finance, cost and value. You have to make sure that whatever tools are out there provide value and return on investment. They’re either helping to enhance revenue or reduce costs. Those are three major considerations with technology like mobile in healthcare.

From a security standpoint, you really have to be careful. If they're not secured, hackers can get in, or other people can chart under the wrong ID. It can be problematic when you're dealing with strict privacy regulations like HIPAA in healthcare.

You have to make sure you have a plan and the ability to secure these devices and provision them. Some places that have mobile devices are losing, on average, 23 percent of devices per year. In some cases, it's a staggering cost that can happen if you're not able to track and understand who's using those devices and hold them accountable for not walking out the door with them or forgetting them in a drawer, so nobody sees them again.

Most customers think they have to choose between either locking something down and putting a really complex password on it or keeping it wide open and letting it kind of be easy to get into. There is this tug of war. You either put a really long, complex password, which is really secure, but it's unusable. Imagine you're a nurse trying to respond to a code… and you can't get in because of complex passwords. And on the other hand, if you try to make it too easy, you'll sometimes put a PIN on the phone, and it's often a shared PIN. Many hospitals have these phones, and everyone has the same PIN. Everybody knows it. And if everybody knows it, you might as well not have it.  

Some of them aren't designed to be shared devices. Our system helps with security because they all charge up in a bank of devices, and they get provisioned properly with all the right security software in place, all the right compliance, and they get their battery health checked. Everything's checked on the device, and all of them are sitting there. If someone comes up and logs in… it'll light up the phone that is the healthiest, properly provisioned, with all the latest updates and security patches. It'll pop up with my name on it, and then, by policy, it'll make me pick my own PIN according to the security policies of the hospital. Now I have my own personal PIN, just like it would have on my own device. Then we can even enable facial biometrics on it, instead of a password, and there's always security on it, but it acts almost like your own phone for that whole shift. You’re getting the best of both worlds. You're allowing a hospital system to secure, provision, and maintain a whole fleet of devices, so the security, privacy, and compliance aspects are answered, and for the doctors and nurses, when they use it, it acts like their own device for a day

When you have the ability as a hospital to buy and manage a fleet of devices, you only have to buy devices for each shift of nurses that comes in. You don't have to buy one for every single nurse.

Could you speak to some of the privacy concerns?

It is a big concern in healthcare that you always want to maintain a good audit trail and only allow people into the system who are credentialed and should be getting into that system, particularly the electronic health record (EHR). Anywhere where there’s protected health information…that's covered by HIPAA, only people who have a legitimate need to see it should be accessing it for care or other operational needs.

On mobile devices and any endpoint, including medical devices, desktop computers, or laptops, we control access, and the only way in is to log in. The first time you do that during the day, it takes two factors. We control who gets on each device, and when they leave that device, we can lock it and close out the apps they're on, so if someone else comes up, they don't have access to those same apps.

It’s absolutely a concern in healthcare that other workers, patients, or other people can get into protected health information (PHI). Most of our systems are designed to prevent that, but also make it easier for people who are legitimately doing their jobs to get in there quickly and do their jobs.

What are your thoughts on a lack of policies around how devices are used?

Policy and governance are important. Zscaler talked about how those Android device attacks are up 244 percent. Nearly half of the healthcare organizations (44 percent) lack a formal device policy, and 55 percent have limited visibility into how those devices are used. Seventy-four percent of them are just left signed in after use, and 79 percent of staff admit to sharing credentials. Different studies, including this latest one, say that it's a hard, complex problem, and policies oftentimes are inadequate.

Could you tell me more about this comprehensive mobile device management strategy you mentioned earlier?

It allows the healthcare system to manage everything altogether. They may have 5000 phones in a hospital system, and they purchase all those phones. We help them, along with their medical device management system, provision all the phones with all the apps that they need, all the security patches, the latest updates from either iOS or Android, get everything tuned up, make sure the battery is healthy, and then all those devices will be sitting there.

And then a nurse…or whoever comes up and needs a device, they check one out, and it has all the apps they need, nothing they don't need, and it forces them to put their own PIN in there, according to policy, so that you guarantee the security on that device.

What you're trying to do is solve for those three pillars, where you're solving for the usability to make it easy to use. You're solving for security, and then you're solving for the cost issue.

Do you have recommendations for healthcare organizations?

The future for us is both mobile and password-less. I mentioned facial biometrics. There are things called PASS keys that you can put on devices where, if it's a trusted device, there's a device-bound key that is a second factor, and you combine that with things like facial biometrics or a token system that goes to a known cell phone number. We're all familiar with that two-factor authentication pathway. It tends to be a one-size-fits-all tool. What we do in healthcare is make it more adaptable across different modalities.

Make sure you have a modern approach to identity that lets the people who are doing the right thing, who are trying to get into the system, easily, while making it harder for bad actors to get in. And part of the ingredients are good policy and good technology. Modernize things, move towards multiple factors, and make it adaptive, so that it's harder for high-risk behaviors…and easier for low-risk and expected behaviors.