How virtual mobile infrastructure can protect patients
If one third of Americans became ill with a disease, the CDC would declare it an epidemic. The healthcare world would go to any lengths necessary to find a vaccine and prevent the disease from spreading. Yet last year, when one third of Americans saw their personal health records compromised in 253 cybersecurity breaches, the healthcare world didn’t treat it like an epidemic.1 Companies apologized and business carried on as usual.
The breaches demonstrated that the healthcare industry was unprepared for desktop attacks. If healthcare is like any other industry, then it’s even less prepared for mobile threats. Now that more than 84% of physicians use personal smartphones for work, attackers will target or exploit mobile endpoints.2 The risk of breaches will only increase.
The solution is not mobile device management (MDM) or enterprise mobility management (EMM), both of which have disappointed IT departments worldwide. Rather, healthcare must turn to virtual mobile infrastructure (VMI), which can give employees access to corporate applications without leaving any data on their devices. VMI is an important step towards protecting patients from the cyber breach epidemic.
Characterizing the Threat
Thanks to Hollywood movies, many Americans imagine hackers as geniuses who type green text onto black computer screens and somehow break into systems. In reality, most hackers are con artists of varied sophistication. They use “social engineering,” a fancy way of saying that they trick your employees into sharing passwords and other exploitable information. To protect healthcare data, we have to defend against social engineering attacks.
Last year, 98% of data breaches involved large-scale social engineering according to a report from Bitglass, a cloud security provider.3 Just five breaches, including the Premera Blue Cross and Anthem breaches, accounted for 100 million of the 112 million compromised health records.4 If each record stolen costs the compromised organization an average of $145 to $154, as the Ponemon Institute estimates, then those five breaches easily cost $15 billion.5
The attackers did nothing that technologically complex in the Premera and Anthem cases. They sent out phishing emails that linked employees to fake company websites. When employees entered their user names and passwords, as usual, the fake website recorded the login credentials and then logged the victims into the real company website. Unless victims checked the URL (as one should), they wouldn’t detect the scam.
In 2014, 68% of breaches involved lost or stolen employee devices according to Bitglass.6 Mobile devices are problematic because they provide information that attackers can use for social engineering.
Just imagine if a hacker stole a smartphone from a physician who doesn’t lock it with a passcode. If the phone is loaded with work emails, the hacker can determine how to write a convincing phishing email to the physician and her coworkers. From the email templates and branding down to the conversation topics and communication style, the hacker can spoof a compelling email from management, HR, IT, compliance or another department.
Maybe the hacker uses a fake website to steal login credentials, like in the Premera and Anthem cases. Or, perhaps the email asks recipients to download a fake security patch, which installs malware on the user’s computer or mobile device. Then, that malware intercepts login credentials when the user enters them into the patient record system.
Smartphones are particularly vulnerable because most people don’t lose desktop computers in bars, restaurants and subways. A lost or stolen smartphone loaded with work emails is a goldmine for sophisticated attackers.
Although your organization might comply with HIPAA, that doesn’t mean you’re ready for the social engineering attacks and mobile exploits I’ve described. If you’ve tried an MDM or EMM solution, you know they don’t make any sense for healthcare organizations. While medical staff often serve multiple organizations, with different IT systems, MDM and EMM give one IT department administrative control over the user’s personal phone. That won’t fly. Healthcare organizations need virtual mobile infrastructure (VMI) that leaves zero data on mobile endpoints.
With VMI, all applications, including email, calendars, patient record systems, image management, etc., live in a private data center or in a secure cloud. Each health organization can assign different privileges to office staff, physicians, nurses and temporary personnel. They all access their available apps via a thin client app that can run on iOS, Android and other operating systems. Users can’t tell that they’re operating a remote app in a data center. The app responds to swipes and taps as if it were installed on the physical phone, and it can still use the device’s GPS, gyroscope, camera and other hardware.
Even if hackers stole the phone, the thin client is encrypted and leaves no corporate data that hackers could use to engineer an attack. And because IT only needs to secure VMI in the data center, they don’t need to worry about mobile endpoints, which are otherwise the weakest link in the security system.
To be clear, VMI doesn’t absolve IT from educating employees and monitoring for security threat. However, VMI does take the burden of security out of employees’ hands. It frees medical staff to focus exclusively on what they do best: patient care.
The breaches of 2015 were not a one-off surprise. They happened because hackers innovated faster than the healthcare industry could keep up. To prevent the next cyber breach epidemic, the industry must turn to virtual mobile infrastructure and take mobile endpoints out of the security equation.
- “Data Breaches in Healthcare Totaled Over 112 Million Records in 2015.” Forbes.
- “Mobile Officially a Staple in the Doctor’s Office.” eMarketer.
- Healthcare Breach Report 2016. Bitglass.
- “2015: Year of the Healthcare Security Breach.” FierceHealthcare.
- “2015 Cost of Data Breach Study: Global Analysis.” Ponemon Institute.
- “The 2014 Bitglass Healthcare Breach Report.” Bitglass.