Mobile Device Security Tips Offered

Dept. of Homeland Security Report Focuses on Healthcare Risks
Mobile Device Security Tips Offered

The Department of Homeland Security has issued a report on the risks involved in using wireless medical devices and other mobile devices in healthcare and the best practices for mitigating threats.

See Also: The End-to-End Performance Imperative

"The expanded use of wireless technology on the enterprise network of medical facilities and the wireless utilization of medical devices opens up both new opportunities and new vulnerabilities..." the report states. "The communication security of medical devices to protect against theft of medical information and malicious intrusion is now becoming a major concern."

The report notes that misconfigured networks or poor security practices may increase the risk of compromised medical devices, such as insulin pumps and pacemakers. Plus, the expanding use of smart phones, tablets, USB drives and other mobile devices poses additional risks, according to the report.

Major information theft threats in the healthcare sector include insider threats, malware, spearphishing attacks, other web-based attacks aimed at penetrating a network and the loss of mobile devices, the report notes.

Best Practices

Best practices in building a layered security approach in healthcare, according to the report, are:

  • Purchasing only those networkable medical devices that have well-documented and fine-grained security features available and which the medical IT network engineers can configure safely on their networks;
  • Including in purchasing vehicles vendor support for ongoing firmware, patch and anti-virus updates where they are a suitable risk-mitigation strategy;
  • Operating well-maintained external facing firewalls, network monitoring techniques, intrusion detection techniques and internal network segmentation to contain the medical devices to the extent practical;
  • Configuring access control lists on these network segments so only positively authorized accounts can access them;
  • Establishing strict policies for the connection of any networked devices, particularly wireless devices, to health information networks so that no access to networked resources is provided to unsecured or unrecognized devices;
  • Establishing policies to maintain, review and audit network configurations as routine activities when a medical IT network is changed;
  • Using the principle of "least privilege" to decide which accounts need access to specific medical device segments, rather than providing access to the whole network;
  • Implementing patch and software upgrade policies for medical IT networks that contain regulated medical devices;
  • Securing communications channels, particularly wireless ones, by the use of encryption and authentication at both ends of a communication channel;
  • Enforcing password policies to protect patient information.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.