A new Scottish government sponsored report on the use of Apple mobile ‘idevices’ in the NHS says the iPhone 4 and the IPod Touch 16Gb are best for the clinical environment.
The report, commissioned by NHS Dumfries and Galloway and carried out on behalf of Atos Origin Alliance, addressed the potential use of the iPhone 4 16Gb, iPhone Touch 8Gb and 32Gb and iPad 3G 16Gb in the NHS.
The board commissioned the work to support its plans to implement an iPhone application designed to provide access to its patient administration system to ensure information is available at the point of care.
The Scottish idevices report, which is now being shared with the wider NHS, found that where risks arose where attackers might be able to view a small amount of patient data it was mainly because of Apple’s “weak implementation of disk encryption”.
It says that the operating systems on the idevices had supported disk encryption since the iPhone 3GS and that iPads, iPods larger than 8Gb and the iPhone 4 models now include a hardware encryption accelerator.
However, the 8Gb iPod Touch does not support an encryption mechanism, meaning that data on the device could be accessible.
The report also raises concerns about Apple’s focus on user experience in a commercial context which causes some problems in the healthcare environment.
For example, when a user closes an app using the devices home button, the operating system takes a screen shot in order to improve the perceived performance time of the device when the application is reopened.
The report adds: “It is not possible to disable this functionality, something which, because of Apple’s focus on user experience is unlikely to become possible in the near future.”
It recommends that patients should be firmly educated to log out of the app and ensure that it is displaying the log on screen before closing it.
The report also identifies issues around the use of caching to capture patient information.
“All versions of the idevices cached words which have been typed by the user, including words typed in notes, mail, SMS and safari applications." It adds that keyboard caching “cannot be disabled.”
Although this poses a security issue it states that users should be educated to build list views of their patients to reduce the need to enter names alongside patient data in such forms.
They should further be educated not to enter patient names in any of the free-text areas of the application used for storing information.
The report found that the majority of other security issues with the idevices, such as a malicious individuals trying to connect between the 3G network and the NHS secured wireless network and using the idevice as a mass storage device to steal data would require jail breaking the device- where the operating system is modified to run any code rather than just those that have been digitally signed by Apple.
However, it says that Apple has stopped providing signatures for iOS versions older than 4.0.2 on iPhone 4 devices, meaning that it is no longer technically possible to downgrade an iPhone 4 or 3rd generation iPod running iOS 4.0.2 to a version which may be jail broken.
It recommends that the most secure devices for running the Cortix that will link the devices to the board’s patient administration system, were the 32GB iPod touch and the iPhone 4. It added that “the iPad lagged some way behind in terms of software updates.”
The report provides a series of guidelines to improve security on the devices such as enabling remote wipe features and ensuring that all backups for the devices are stored on a machine which is located in a secure environment.