Modern healthcare utilizes a multitude of medical devices, including rugged Android tablets or rugged Linux tablets, for medical device monitoring, medical treatment, telehealth, electronic health record (EHR) access by caregivers, and much more. Increasingly, these medical devices are networked together, to remotely share information including electronic health records (EHR). With network connectivity, risks of data interception become a major concern. Securing Protected Health Information (PHI) data, whether on the device itself or during network transmission, through encryption is the best way to prevent data breaches. The scope of the data security problem can be seen in the 2019 HIMSS Cybersecurity Survey.
Medical devices usually incorporate custom-designed electronic circuitry or commercial off-the-shelf (COTS) single board computers, combined with an accompanying operating system. Increasingly, the medical device may be a custom tablet running either the Android or Linux operating system. These custom medical devices must meet stringent safety and ruggedness requirements, and additionally incorporate physical and data security. Such designs best accomplish all product specifications, as opposed to trying to make a COTS tablet rugged and secure via retrofit outer enclosures, circuit attachments, and application software running on top of a standard operating system.
Data encryption in healthcare settings use a combination of software and hardware methodologies. While most major mobile device manufacturers offer some form of hardware and software-based encryption, these devices are not necessarily suitable for the requirements of healthcare environments. Software solutions can dominate vital processor and memory resources which can impact device performance, particularly when the most powerful encryption and decryption methods are utilized.
Hardware-level encryption has less of an impact on device performance and is usually the preferred method to perform the complex calculations associated with high grade encryption and decryption. However, this requires associated hardware support built into the device. Rugged tablets that are purpose built can and do include embedded system security measures that integrate and enhance encryption and physical security in general.
The most secure and strongest encryption algorithm in wide use today, including for rugged device encryption, is AES-256. The goal is to have the strongest encryption anywhere data is stored or accessed which would require a decryption key to view or access it, without sacrificing medical device performance.
Data vulnerabilities can come through Wi-Fi networks, user login abuses, unsigned email, and in general poor user attention to data protection. While teaching best practices to medical personnel is an important step in preventing data breaches, healthcare organizations can take steps to secure the devices through robust encryption and other methods.
Medical grade rugged tablets and other medical devices often require enhanced Wi-Fi capability, particularly when connecting to networks within hospitals and medical facilities. Hospital and medical facility Wi-Fi networks often utilize enterprise level encryption protocols such as WPA2-EAP and other related standards. Wi-Fi access points often utilize Cisco compatibility extensions (CCX). Medical devices that connect to these networks are usually required to adhere to these enterprise encryption standards and CCX. Most Wi-Fi solutions, including those in most consumer grade and many professional tablets do not have these capabilities. Custom medical tablets can be designed to incorporate Wi-Fi radios with enterprise encryption and CCX capability, along with associated software support integrated into their accompanying Android or Linux operating systems. This protects data in transit over networks.
In addition to network transmission, data must be protected while on the device, and while users of medical data are accessing it. As such, HIPAA compliance often utilizes a three-pronged approach to PHI protection: encryption, data masking, and tokenization.
Data encryption, whether in transit over a network as described above or is maintained in a particular location such as on a medical tablet, scrambles data into unreadable form, but is reversible via the use of encryption keys. Efficient encryption requires hardware support.
Tokenization is similar to encryption, in that PHI is transformed into unreadable formats, reversible with the proper tokens. Health records with PHI contain varied types of data, such as personal background information, treatment records, and financial data, some of which may require access by certain groups but not by others. Different tokens may be assigned to encrypt the different types of PHI for different audiences. A token management software package is required to manage these processes, while encryption/decryption using tokenization may utilize hardware encryption accelerators.
Data masking maintains the format of PHI, often in document or database form. Masked data is not reversible, but substitutes sensitive real data with generic text that is readable but removes personal identification. This allows a full data set to be maintained with associated statistics for analysis and study while removing HIPAA concerns. Data masking is performed in software.
Any device that connects to hospital or medical facility networks requires extra security, like robust encryption which may not be part of a particular tablet’s design. The best rugged tablets are those that are designed with encryption and other security measures as part of a secure custom tablet design. Rugged tablets and medical devices that meet the criteria for healthcare settings are best positioned to perform their functions while meeting the various health care facility and HIPAA requirements for patient centered healthcare and data security, without sacrificing performance.