In a country like India where Doctor to patient ratio is 1:900, Doctors are a few and work is like 24/7. Patient demands low cost, timely and quality healthcare coverage. For Healthcare enterprises, Patient Data is critical to collect and manage and hence mhealth is primarily aimed at bridging the economic divide in terms of healthcare. Mobility is the key here- Many Healthcare enterprises which are spread over 10-20 establishments in India are now using VPNs as the enabling technology which allows Doctors to use standard public Internet ISPs and high-speed lines to access closed private networks. A simple use case for this is to access Virtual Patient Health records and there are other wireless technologies designed specifically for use in the provision of healthcare, like:
- Standard Mobile enterprise services used by health-care workers, such as remote access to e-mail and health-information systems;
- Mobile Applications to meet a specific need of medical workers, such as mobile prescriptions and remote diagnoses;
- Applications that play a direct role in the provision of care, such as mobile data collection and wireless transmission of health data; and
- Consumer-targeted applications to encourage health and help prevent illness.
2. What are the security concerns around these trends?
Security of patient data is important. Even if you comply with HIPAA, it doesn’t have that depth and breadth of protection which is required as health care is comprised of exceedingly complex information environments that demand comprehensive patient data security approaches especially when the data is shared across networks. For a simple use case of accessing a patient’s Virtual Electronic Patient Records with a wireless device, there are 3 main security issues to address:
1. To Authenticate & authorize from the wireless to the wired network
2. Secure Data share in transit
3. Integrity & Good Resolution in the information that is requested and visualized by the users/doctors.
3. Is there a security risk re: healthcare mobility that is overrated or underrated? What are they?
Not overrated actually. Healthcare mobility is the key. As manpower is scanty in hospitals, therefore in scenarios where large volumes of background traffic needs to be sent from automated programs talking to other automatic programs, IPsec here serves the best. End to end security is however required in several Govt Health missions where there are a lot of private partners in the value chain and secured/encrypted communication is a must. SSL enabled VPN is useful here. With SSL, a secure tunnel is established directly from the client to the resource the client is accessing. With true end-to-end security, no data is sent in the clear, either on the internal network or on the Internet. Everything from the client to the resource is securely authenticated and encrypted.
4. What are the security concerns around sensor technology, portable medical devices and wireless health applications – and how will they be mitigated?
There are several security concerns and hence before we deploy mobility we need to understand that fully automated Remote Access VPN Management is necessary. Solutions should be easy to use and efficient as well. A holistic remote access solution is required to integrate all essential technologies regarding security and communication. Hospitals and Healthcare enterprises are looking to upgrade and hence low switching costs is the major driving force coupled with greater efficiency and ease to use and deploy.
5. What role will IPsec play in mobile health security?
Two parties who wish to create an IPSec tunnel must first negotiate on a standard way to communicate. Since IPSec supports several modes of operation, both sides must first decide on the security policy and mode to use, which encryption algorithms they wish to communicate with and what type of authenticate method to use. IPSec and WPA EAP-TLS solutions are very efficient against MITM, impersonation and session hijacking attacks. Both solutions are not efficient against DoS attacks. It is possible to successfully perform DoS attacks using freely available tools. For systems where availability is essential, it is necessary to complement those solutions with more mechanisms that reduce the risk of such attack. It is thus necessary to use tools like Intrusion Detection Systems (IDS) and vulnerability scanners. Because IPSec sits at the network layer not only is all your network traffic encrypted, but all users gain access to all company resources as if they were physically resident in the office connected to that LAN. Hospitals may or may not want partners or temporary remote employees to be part of their network. The network may only need to have a small portion of its traffic secure. Hospitals may not want to encrypt everything from the remote client to the corporate network. Also scalability is a problem with IPsec. On the other side, SSL proxies enforce much stronger authentication methods than a back-end resource could ever support natively. Many Web servers today do not natively support authentication methods other than SSL.
Inference: Solutions require high degree of integrational ability and interoperability that makes it possible for Healthcare enterprises to deploy these software products in an already available IT infrastructure.