Not everyone is convinced that "bring your own device" (BYOD) policies are best for hospitals and other healthcare networks.
"The security of these devices have been made even worse because of the applications we run on them," says Kevin Johnson, CEO of Secure Ideas, a network security firm. "The applications bring in the need for even more data."
A self-described "ethical hacker," Johnson addressed BYOD security at this week's HIMSS Media/Healthcare IT News Privacy and Security Forum in Boston.
He said having protected health information on a device that people often and easily lose isn't sensible. In addition, all the "sketchy" applications that people download on their devices make that data even more unsecure.
BYOD, he said, is a slippery slope. Most people think about BYOD as a cost savings, he pointed out. "They start thinking about BYOD to make the users happy because they can use that gold iPhone 5."
"We start having exceptions (like) you can't use your personal device except for Bill because he whined loud enough," and that leads to more exceptions, Johnson said. Few people, however, actually understand the huge security implications, and very few healthcare providers consider the fact that they may have all their personal data wiped clean from the device if a security or privacy breach were to occur.
"I do believe BYOD involved lots of drug use by your auditors and lawyers for them to accept it," Johnson said. "There's just so many liabilities here."
Part of Johnson's job is to hack into company systems, find their security vulnerabilities and report back. And most often, he said, it proves far too easy of a task.
As an example, he pointed to a patient care record application that he had analyzed on his own time. The app allows a user to store all of his or her medical data, but it doesn't encrypt the data. When Johnson pointed that out, the developer said it's up to the doctor or nurse to fix that. "I'm not HIPPA-covered," the developer wrote to Johnson – who noticed the incorrect way "HIPAA" was spelled, one of his biggest pet peeves.
Another example, Johnson said, is a note-taking application used by a nurse. "Where does it store the data? Did it block the permissions down to the data so another app on that phone can't read it?"
That "other app" might be the Flashlight app, which Johnson described as one of the most useless. It's also harmful, he said, because it can take virtually all the device's data.
As for those charging stations set up in airports nationwide? Don't even think about, Johnson said. They do the same thing.
It's common knowledge that applications on personal mobile devices can render patients' health data vulnerable, Johnson noted, but what are the policy implications? "Do you want Plants vs. Zombies on your network? I wouldn't," he said. But can you enforce a company policy prohibiting those apps? Probably not, he added.
BYOD is essentially allowing a "personal device on a private network talking to 75 advertisers," he said.
If healthcare organizations insist on adopting BYOD policies, Johnson said they'll have to monitor the software, intercept the transmitted data and only allow the most secure mobile devices on the network.
As for what's considered the most secure mobile device? Ironically, Johnson said, it's the BlackBerry.
