Lysa Myers – Security Researcher at ESET
In a recent article in Health Management Technology, Lysa Myers explores how to ensure that BYOD doesn’t become ‘bring your own destruction’ into the healthcare technology environment.
Here are a few quotes from the article (see link at the bottom of the article for the full article: Ensuring BYOD isn’t “bring your own destruction”)
What are criminals seeking?
The recurring theme I’ve most often heard with regard to security issues in medical practices is that there is a fundamental misunderstanding of what criminals are after. While some criminals may be after blackmail-worthy details of health problems, in the majority of data breaches the miscreant’s goal is to obtain a large quantity of salable information to be used for medical or financial fraud. This list of valuable data comprises much of what was lost in the Premera and Anthem breaches as well as other notable recent healthcare breaches:
- Names of patients and employees;
- Physical and email addresses;
- Medical ID numbers;
- Social Security numbers; and
- Payment card data.
This information can be sold in bulk, with more complete record sets fetching a higher price, as they enable more lucrative fraud without the need for phishing for additional information from the victim. Medical ID and Social Security numbers are especially valuable for criminals, as payment card fraud is typically identified and blocked much more quickly; most banks have robust fraud-detection programs, and customers check payment cards more regularly and thoroughly than they do credit reports or medical reports.
Mitigation:
There are ways to mitigate the risks. To this end, healthcare IT and Security should be asking and answering a few salient questions:
- Is it better to allow users to bring whatever device they wish, or to choose from a short list of approved devices?
- What should businesses require of users accessing work resources remotely?
- Are there ways to mitigate the risk of lost or stolen devices?
- Are there ways to help secure connections to work resources?
Let’s look at the issues within each of these questions to consider how best to answer them.
Summary:
BYOD can be a benefit
While these steps to secure access via mobile devices may appear to be costly and complicated, it may be worth the effort in terms of the increase in staff productivity and responsiveness. Staff and patients may view the access of mobile devices as a benefit that may improve care outcomes due to improved patient engagement.