Mobile Device Security Tips OfferedDept. of Homeland Security Report Focuses on Healthcare Risks
The Department of Homeland Security has issued a report on the risks involved in using wireless medical devices and other mobile devices in healthcare and the best practices for mitigating threats.
"The expanded use of wireless technology on the enterprise network of medical facilities and the wireless utilization of medical devices opens up both new opportunities and new vulnerabilities..." the report states. "The communication security of medical devices to protect against theft of medical information and malicious intrusion is now becoming a major concern."
The report notes that misconfigured networks or poor security practices may increase the risk of compromised medical devices, such as insulin pumps and pacemakers. Plus, the expanding use of smart phones, tablets, USB drives and other mobile devices poses additional risks, according to the report.
Major information theft threats in the healthcare sector include insider threats, malware, spearphishing attacks, other web-based attacks aimed at penetrating a network and the loss of mobile devices, the report notes.
Best practices in building a layered security approach in healthcare, according to the report, are:
- Purchasing only those networkable medical devices that have well-documented and fine-grained security features available and which the medical IT network engineers can configure safely on their networks;
- Including in purchasing vehicles vendor support for ongoing firmware, patch and anti-virus updates where they are a suitable risk-mitigation strategy;
- Operating well-maintained external facing firewalls, network monitoring techniques, intrusion detection techniques and internal network segmentation to contain the medical devices to the extent practical;
- Configuring access control lists on these network segments so only positively authorized accounts can access them;
- Establishing strict policies for the connection of any networked devices, particularly wireless devices, to health information networks so that no access to networked resources is provided to unsecured or unrecognized devices;
- Establishing policies to maintain, review and audit network configurations as routine activities when a medical IT network is changed;
- Using the principle of "least privilege" to decide which accounts need access to specific medical device segments, rather than providing access to the whole network;
- Implementing patch and software upgrade policies for medical IT networks that contain regulated medical devices;
- Securing communications channels, particularly wireless ones, by the use of encryption and authentication at both ends of a communication channel;
- Enforcing password policies to protect patient information.