Lack of Cyber Security for NHS Mobile Apps

By December 11, 2015NHS, Technology

Ok, SC Magazine (for IT Security Professionals) is maybe not everybody’s favourite bed-time reading, but one of their recent articles highlights a particular issue with the scramble to mobilise NHS apps on tablet devices (see the link here) oft heralded as the saviour for the NHS through efficiency.

The article contends that patient information is more valuable than financial data sold on the black market. If you consider that a mobile device has potentially 100s or 1000s of patient records stored on it or is connected to your clinical backend systems where there are potentially tens of thousands of patient records then it is beyond doubt that it is only a matter of time before cyber crims get their acts together.

I don’t want to discuss the obvious business case and benefits of transforming and mobilising healthcare – it could save billions. But at what cost if you don’t get the security right?

However, I do take exception to SC’s article on cyber-security training for users as being the answer. It’s a false sense of security. Sure, it makes sense to do this but pitted against a smart hacker they wouldn’t stand a chance. As an ex karate-ka, I’ve seen it many times and know people given some self-defence training think they can defend themselves (imagine the Lion in the Wizard of Oz – put ’em up).

I don’t want to go all security on you, but a) security isn’t black-and-white i.e. it’s secure or not, and b) it’s only as good as the weakest link i.e. the human. So, training the user suddenly doesn’t make it secure (or not) and if a user can be foiled, security is effectively compromised if you are relying on training alone.

The implications of a security compromise? Well, that’s for another day, but fines and reputation damage are certain.

To compound the matter (read “make it easy to fool users”) there are a number of mobile app solutions on the market and healthcare organisations that use usernames and passwords as a means to secure mobile clinical apps and patient data. They even think that having MDM to protect their devices makes it secure.

Security that is based on username and password will never be secure enough, even with tons of cyber security training for users.

As the architect of Isosec’s mobile application platform, MIA, it is quite clear to me that the NHS Smart Card is the only effective way to protect mobile apps on tablet devices. NHS clinicians are very familiar with its use – it is two-factor – something I have (the card) and something I know (the passcode). MIA uses the NHS Smart Card to not only log users on to a tablet device, but to also strongly encrypt patient data on the device as well as being required to connect in to the clinical backend systems. Without the card, no access to patient data on the device or back at base. Get the passcode wrong three times then the data becomes inaccessible. MIA also has various timers that blank and lock the device so even if the user leaves the card in the reader, everything is still safe. If they lose the card, it can effectively be revoked, again everything remains safe.

So, given the weakest link user argument, we have taken the approach of using something very secure and familiar (the NHS Smartcard) and made the user experience very simple – we don’t rely on user’s infallibility.

Even when a user fails to follow basic precautions, MIA security takes over to protect patient data and backend system access.

The take-home is don’t be lulled in to a false sense of security – if you’ve got username/password protecting your clinical data and access with MDM “remote wipe” with really good user training, your pants are down, from a security perspective that is.

Finally, we have a smartcard solution for iPads as well as NFC authentication on Android and Windows devices.

Keypad saying cyber security

Harry Robinson

Author Harry Robinson

More posts by Harry Robinson