A casual glance at today’s business headlines underscores the essential role of data security in every industry. And as mobility accelerates the flow of enterprise data from internal systems to smartphones and tablets, the imperative to secure that data grows exponentially. High-profile security breaches have cost organizations billions of dollars, trusted reputations and even the jobs of top executives.
As evidenced by the news announcements coming out of the HIMSS15 conference last week, perhaps no other industry is more in need of strong mobile security than healthcare. A wide range of patient data is stored on mobile devices – ranging from demographic details to medical histories, insurance beneficiary data and social security numbers. Despite the high level of sensitive and other strong regulations such as HIPAA, many healthcare organizations have a long way to go to protect against the growing threat of cybercrime.
Companies aren’t investing
Even with several high-profile breaches, studies have shown that healthcare providers haven’t increased their attention to security details. In fact, a recent study conducted by IBM Security and the Ponemon Institute found major security flaws in the ways which most large organizations – including Fortune 500 healthcare companies - build and secure mobile apps.
The Ponemon study showed that 50 percent of companies dedicate zero budget toward securing the mobile apps they build for customers who often - and without hesitation - upload some of their most confidential billing, personal and business data. This lack of attention to security has been verified for the healthcare industry by other organizations as well. For example, a study earlier this year by market research company peer60 found that while more than 50 percent of hospital IT managers and 60 percent of CIOs will be pushing for an investment in security this year, only 25 percent of CIMOs, COOs and CEOs are on board with the idea.
Where is the focus?
With IT professionals seemingly more focused than executives on the importance of security, investments in mobile security and applications often get pushed aside. Yet the acceleration of user demand for mobile apps has many businesses building with speed to market and user experience in mind. What they are not doing, however, is ensuring that their apps are safe and secure enough for users to disclose the confidential information (such as billing details, personal information and more) these apps often require, without being at risk of a cyber-attack.
One of the biggest problems, and the simplest to fix, is that most healthcare organizations do not have a solid policy in place around the acceptable use of mobile apps. More than half of respondents in our study (55 percent) say their organization does not have a policy that defines the acceptable use of mobile apps in the workplace. Furthermore, a significant majority (67 percent) of organizations allow their employees to download non-vetted apps on their work devices. This offers hackers the potential to exploit app vulnerabilities, then access sensitive documents and personal data.
At any given time last year, mobile malware was infecting more than 11.6 million mobile devices. And the costs of data breaches through employee devices - including loss of highly confidential patient information and brand reputation - is estimated at more than $11 million, not even factoring in the number of current and future patients lost when a brand becomes associated with compromised security.
Signs of progress
A number of vendors, including IBM, are bringing solutions to market to instantly detect and destroy malware threats on mobile devices. With medical identity theft and other patient data privacy issues becoming an increasingly larger issue, it is surprising that more hospitals are not looking to invest in new healthcare data security tools. And simply having protection against malware is not good enough. It’s one element of a broader mobile security strategy that should start with clearly defined policies for smartphone and tablets and an enterprise mobility platform. The question remains: What will it take for providers to begin investing in mobile security?
While there have been some notable security breaches, we haven’t seen a huge amount of instances through the mobile avenue yet. However, mobile threats are emerging rapidly, and companies who are not prepared to address these threats risk enormous financial loss and brand reputation damage. With so many devices and so much data, the opportunity for hackers to access business data via mobile devices is too sweet for them to pass up.
David Lingenfelter is director of information security for Fiberlink, an IBM Company.
