How to Create a Health Care Security Strategy That Addresses Mobile Device Risk


By: Larry Loeb|


While enterprise mobile device strategies have evolved as more workers use phones and tablets for business, hospitals have a different environment to consider when shaping a mobile security strategy. Factors such as patient privacy and HIPAA regulations will largely dictate how health care facilities allow clinicians to use mobile devices.

Five Steps to Create a Mobile Security Strategy

The U.S. Department of Health and Human Services outlines five steps that health care facilities should take when planning for the use of mobile devices. The following steps serve as a good overview of what organizations should take into account when initially constructing or updating their security strategies:

1. Decide What Data Can Be Accessed via Mobile Devices

The first step is to decide whether mobile devices will be given access to clinical data. For instance, will doctors and other staff be able to access electronic health records via their mobile devices?

2. Assess Risks Created by Mobile Usage

If the use of mobile devices is deemed necessary, the facility must then assess the risks introduced by mobile device usage. A risk analysis should be conducted at this point and include a review of potential problems created by both personal and organization-provided devices. A vulnerability assessment is often beneficial to this process.

Health care organizations can’t prevent problems if they don’t know the issue is a possibility. As such, the risk assessment stage is crucial and should not be skipped.

3. Identify and Respond to Risks

Identifying and defining problems from the risk assessment makes them concrete. This step is all about responding to risks by crafting specific safeguards that will keep the hospital’s data safe.

4. Implementing Safeguards

Developing, documenting and implementing new policies and procedures that safeguard health information is the next essential step.

5. Communicating Policies Across the Organization

Finally, health care organizations must invest in training efforts to communicate the new security strategy to all employees. This step is just as important as any other part of the process — after all, what’s the point of security policies if no one follows them?

All About Risk Management

These five steps are general guidelines, and health care facilities may need to take more steps to accommodate their specific situations. For instance, looking at the physical data network that will support mobile devices could be just as crucial as any of the other steps. When devices are connected to a facility’s network, could they cause it to malfunction? How many endpoints can the facility realistically monitor? The additional traffic must be planned for as well since it may require a network redesign.

Other risks specific to mobile devices should also be considered. Physical security breaches such as the loss or theft of devices can dramatically affect a facility. Simple safeguards such as requiring employees to use lock screens and having the ability to remotely wipe devices can help here. Further, stationary equipment such as tablets or laptops may need to be tethered to their posts to prevent them from disappearing in high-traffic areas.

It is also crucial to consider if and how staff use shadow IT, which is technology that is used in place of or bypasses approved programs. For instance, putting a patient record into a public cloud may be convenient for a clinician, but doing so violates a number of laws. Health care organizations need to figure out the types of software employees need to do their jobs and then provide them in a secure manner. Shadow IT becomes a problem when employees aren’t given guidelines on usage, so facilities should invest in educating their employees.

Health care facilities need to have a strategy to deal with mobile devices — otherwise, their staff will use devices without restrictions and introduce serious risks into the environment. By deciding on security priorities and how to handle risks caused by mobile devices, organizations can achieve greater efficiency and clinician satisfaction.

Topics: , , , ,