Hospitals are more than sources of medical treatment and innovative research.
They are also repositories of an overwhelming amount of sensitive or confidential data, ranging from electronic health records and financial information (including patient billing materials, insurance classifications, and credit card and bank routing numbers) to internal communications and physician-issued diagnoses about various conditions.
As hospital employees increasingly use smartphones and tablets in the workplace, safeguarding this content from attackers and cyber criminals means spotting existing vulnerabilities in these devices.
One of the biggest threats involves "leaky" apps. These are unsecured mobile applications that thieves can exploit to gain access to a treasure trove of personal or professional information.
This challenge is all the more significant because a leaky app does not advertise itself as such; it does not have the visible glitches, sudden crashes and inexplicable bugs that other apps may possess. Indeed, most of these apps work as described: They respond to the tap-tap-tapping of a user's touch and the swipe of a finger, never revealing their weaknesses or issuing a warning about a possible problem.
Apps such as Outlook.com, WebMD and The Weather Channel have proved leaky on Android-based forms.
Most people (hospital administrators included) do not know how their favorite apps store sensitive information, for instance, or whether an app encrypts data and performs a technical overview known as certificate authentication.
It's not important that people know this information. What is of grave importance is that cyber attackers know this information and they can quickly use a leaky app to unlock very valuable content. This is why there is a need to educate hospital staff about the dangers leaky apps represent.
Please note that unsecured apps are not an aberration; they are more and more commonplace.
Our own internal audit finds that 60% of the 100 most popular apps (including those with dual appeal to individual consumers and executives) have a high risk rating in one or more security categories. All of these apps are available through Google Play and iTunes. None of them would cause a typical user to worry about data theft or even more severe consequences.
All of which means hospitals need a comprehensive and immediate response to this danger.
In their role as a setting for first responders, hospitals would broaden that duty to include a digital corollary; it would feature professionals who can diagnose, treat and stop the spread of leaky apps.
This proactive strategy toward mobile security – one that addresses not just malware and targeted attacks but the danger posed by leaky apps – represents a chance for hospitals to strengthen their legitimacy and enhance their relationship with the communities they serve.
Evaluating the Size of the Threat: A Way Forward
To repeat an earlier point about the seriousness of this issue, an independent study by Gartner Inc. predicts that the focus of endpoint breaches will shift to smartphones and tablets. More sobering is the news that the average cost of resolving a successful attack against any business is $8.3 million. Experts believe that that number will rise 10% by 2016.
Losing sensitive information can also put your organization in violation of HIPAA regulations. Therefore, hospital administrators must educate their staff about this subject, converting potential liabilities into agents of defense.
If these individuals use a mobile device for work, they must make sure that their smartphone or tablet is protected by a strong passcode and has the latest version of iOS or the Android operating system.
Vigilance is essential, too, about keeping apps updated, as many vendors use new releases to patch existing security holes.
Users should avoid "jailbreaking" their smartphones, as this can make the devices more vulnerable to attack.
Hospital personnel should also only use known and secure Wi-Fi networks, part of a series of best practices that will reduce the threat of leaky apps.
And if your hospital is creating its own custom app, there are a host of best practices developers must implement.
For starters, apps should not store login credentials or other sensitive information on the device. If this is absolutely unavoidable, make sure the material is not stored in clear text, or stationed within an easy-to-find database. Use secure SSL/TSL protocols to protect data in transit.
Above all, conduct ample testing – and retesting – of an app before it goes live.
These measures maintain the health of data, with the same spirit and integrity that hospitals seek to maintain the health of their patients.
That mission (along with understanding these vulnerabilities) is noble, indeed.
Andrew Hoog is the CEO of NowSecure, which provides mobile security solutions, debunks common security assumptions and creates smarter technology to ensure private information remains private and not exposed to unnecessary risks.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.