How Digitally Malnourished Are Your Healthcare Kiosks?

By Apu Pavithran, Founder and CEO of Hexnode

Every story has a villain and a hero. On 3rd October 2022, when the world was celebrating National Techies Day, the ransomware attack on CommonSpirit Health, a Chicago-based system that operates 142 hospitals, stole the day’s show. Putting lives at stake, ransomware attacks on US healthcare organizations surged by 94% from 2021 to 2022. With these recent attacks painting a dire image of the cyber structure in healthcare, enforcement of HIPAA (Health Insurance Portability and Accountability) and Health Information Technology for Economic and Clinical Health Act (HITECH) have gotten stricter, penalties harsher, and fines severe.  

With the ulterior motive of providing consumers and clinicians timely access to protected health information (PHI) and decision support, most healthcare facilities have set up self-serving kiosks that help visitors with appointment scheduling, check-ins, payments and insurance processing. However, with kiosks proving to be silos of private data, adhering to privacy and security protocols has become necessary, calling for a solution to manage, monitor and secure your kiosk network. While a generic kiosk management software will help you to manage your kiosks, having a Unified Endpoint Management (UEM) solution in your cyber inventory optimizes your security stature. 

Taking over Kiosk Management with UEMs  

Most kiosks are deployed in public places, making them susceptible to vandalism, shoulder surfing and man-in-the-middle attacks. While conventional physical positioning of health kiosks helps to mitigate a fair share of risks, it doesn’t stop attackers bent on bypassing a kiosk’s control systems. As a means of answering the several hiccups towards efficient kiosk management, health centers have started to deploy UEM solutions.  

A UEM’s integration with Apple Business Manager (ABM) program, Android’s Zero Touch Enrollment (ZTE) and Window’s Autopilot deployment enables IT to enroll devices over the air. Before shipping devices to diverse locations, administrators can pre-configure devices with necessary settings and lock them down, building ready-to-use kiosks post-unboxing. Furthermore, requesting the physical presence of your IT admin whenever your device faces downtime isn’t a feasible option. By offering visibility into the state of business assets and controlling them remotely, IT can troubleshoot errors directly from a UEM’s console.

Most kiosk patrons initiate interaction with a kiosk using generic log-on information, and through techniques like ‘shoulder surfing,’ users fall victim to identity thefts. However, one can evade such consequences by implementing multi-factor authentication (MFA) and enforcing password policies forcing the user to set up complex alphanumeric passcodes that do not share repetitive history. Health kiosks can also be converted to dedicated purpose-driven tools by locking them down to pre-approved medical health apps or telehealth software with the kiosk lockdown feature. Furthermore, the solution’s messenger app can pass critical messages, notifications or instructions to all deployed kiosks from a single console. 

Ramping up your kiosk defenses  

When credit card numbers sell for $5 each and social security numbers as little as $1 each, the black market money pegged for medical records is $250 per PDF. This price discrepancy highlights the need for healthcare institutes to focus more on cyber investments. With devices housing Patient Health Information (PHI), IT admins are bound to ensure that these documents do not leave the perimeter of corporate devices. UEM solutions support the managed open-ins functionality that can prevent staff members from opening PHI documents on unmanaged devices. Furthermore, admins can restrict device functionalities like cameras, screenshots, calls and social networks that are not required within the premises. External websites with the potential to tamper with a device’s core settings can be blocklisted, mandating access to websites necessary for telehealth monitoring. Admins can also restrict data transfers via Bluetooth, USB, tethering, or other means. Finally, network restrictions ensure that sensitive data can only be accessed in managed corporate Wi-Fi and VPNs.  

Point of Care (POC) devices collect information relating to the healthcare needs of patients in the form of Electronic Medical Records (EMR). These documents are expected to be legally confidential, and configuring basic encryption techniques like firewall, FileVault for macOS and BitLocker for Windows helps encode the original information. Additionally, admins can activate the lost mode protocol, lock down the entire device or initiate a remote wipe from the console if the managed corporate devices are lost, compromised or stolen.  

Following IT, logistics and retail, the healthcare sector have joined the bring your own device (BYOD) bandwagon, and with UEMs, businesses can enforce the BYOD policy. While the Android Enterprise initiative visibly segregates the work applications, the business container for iOS is hidden from plain sight. The built-in BYOD capabilities in a UEM promise privacy to the user and security to the enterprise. While this digital shift towards BYOD provided organizations with a competitive advantage in terms of quality of service, it becomes a win-win only when security flaws are addressed. 

Final note 

As the average cost of a healthcare data breach rises to $7.1M, fines on HIPAA violations have increased to a maximum level of $25,000 per violation category. In healthcare, patients’ privacy is as important as their health. Therefore, institutions must ensure that every window leading to attacks on PHI, Personal Identification Information (PII) and other programs remains closed. Out of umpteen security solutions, securing your endpoint, the primary attack vector, with endpoint security tools would be the first step to begin.   Shedding more light into this area, Hexnode‘s November calendar is dedicated to endpoint security in the healthcare sector. The Hexnode Live event, themed ‘Powering Healthcare with Endpoint Security,’ will be aired on Thursday, 10th November 2022, at 10 AM CST. So, head on to the official site to book a slot and keep up with everything cyber in healthcare.

Apu Pavithran is the founder and CEO of Hexnode, the award-winning Unified Endpoint Management platform housed by Mitsogo Inc. Hexnode helps businesses manage mobile, desktop and workplace IoT devices from a single place. Recognized in the IT management community as a consultant, speaker and thought leader, Apu has been a strong advocate for IT governance and Information security management. He is passionate about entrepreneurship and devotes a substantial amount of time to working with startups and encouraging aspiring entrepreneurs. He also finds time from his busy schedule to contribute articles and insights on topics he strongly feels about.

Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.