For our investigation of mobile device security for the medical practice we talked to Rob McDonald, vice president of product management for data privacy technology provider Virtru in Washington, D.C. We asked McDonald what health care providers whose clinicians and staff are accessing not only sensitive patient information but also IoT-connected medical devices with their phones and tablets should be doing. He gave us this checklist:
• Know what you have. If you aren't performing periodic and live asset (both data and device) inventory, then you are simply staring into the void hoping for the best. The key here is to start, even if that means a manual survey and inventory. Until you know where your sensitive data is, how it is accessed and where it is shared, you have no chance of securing it.
• Limit your exposure. Now that you understand the lifecycle of your sensitive data, start pruning branches in that tree. Limit the access levels of users who are over privileged, limit where authorized users can access data from, and remove/archive sensitive data that no longer needs to be accessible.
• Reduce your identity footprint. You probably have a number of applications and systems in your environment. This sprawl puts an unfair load on your staff as they have to remember more and more passwords. Many times, employees and other stakeholders just start writing these passwords down and picking the simplest one possible. There are so many affordable identity solutions today that will allow you to centralize these credentials, which in turn makes it far easier for your staff to comply and gives you a one-stop location for account provisioning, de-provisioning and audit.
• User awareness training. I know, I know; you hear this all the time. But it represents one of the simplest next-steps any organization can take to up their security and compliance game. Think of it like this: Who in your organization comes in contact with your patients and sensitive data the most? Your employees. There are so many good user awareness training solutions today that you can be up and running in an afternoon and be reporting on progress by the end of the month. Don't deliberate on this, just do it.
• Vulnerability and patch management. We've talked about solutions like Mobile VPN today, and the truth is, it’s all software. If your organization is using devices of any kind to access data and software, then you are absolutely at risk of vulnerabilities. It’s important that you deploy a vulnerability management solution that can help you monitor for these risks and deploy updates to that software.
• Data protection. The reality is, you and your users will create and share a significant amount of data in the process of providing the quality patient care in your charter. This data, the data that gets saved to your desktop, typed up in Microsoft Word, or emailed to the patient, insurance company or another provider is the data that poses the highest risk for your organization. Given this risk, and the fact the sharing of this data is only going to grow in volume in demand it is really our responsibility to deploy a data protection solution that puts you in the driver seat for control and auditability.