March 2019
« Feb    

How to combat mobile device perils in Healthcare


Mobile devices pose unique risks to the security of health information. These risks include :

  • Loss or theftBecause of their small size, laptops and other mobile devices can be lost or misplaced. They are also an easy target for theft. If proper security measures are not in place and activated, gaining access to information can be straightforward, potentially exposing sensitive data that reside on or are accessible from the device.
  • Unauthorized accessMost mobile device users seldom employ security mechanisms built into the device. If they do, they often apply settings that can be easily determined or bypassed.
  • Malware (viruses): Mobile malware can infect a mobile device when a user downloads a virus disguised as a game or security patch. Malware can also be appended to email, text and other instant messages available on mobile devices. Malware can intercept or access information on the mobile device, collect and send information out of the device and/or destroy stored information.
  • Cloning: If certain unique identifiers built into a smartphone are reprogrammed into a second cell phone, a clone is created that can masquerade as the original. Today, encryption prevents most device identifiers from being recovered and used to clone a device.

 Ensuring Mobile Device Security in Healthcare

  1. Install USB locks on computers, laptops or other devices that may contain sensitive information, to prevent unauthorized data transfer (uploads or downloads) through USB ports and thumb drives.  The locks can be removed for authorized USB port use.

2. Consider geolocation tracking software or services for mobile devices.   Geolocation tracking software is a low-cost insurance policy against loss or theft that can immediately track, locate, or wipe the device of all data. The majority of healthcare organizations currently lack sufficient resources to prevent or detect unauthorized patient data access, loss or theft. And lost or stolen computing or data devices are the number one reason for healthcare data breach incidents.

3. Brick the mobile device when it is lost or stolen.

4. Encrypt.   All mobile devices and the often-overlooked media, such as USB drives, should be encrypted if they will be used remotely. The cost of encryption is modest and is sound insurance against what has been demonstrated to be a significant risk to healthcare organizations. Most breaches do not occur because of cybercrime. They are associated with people. Even if organizations allow their employees to use their own tablets, laptops and smartphones, they should require encryption if there is a possibility sensitive data will be stored on those devices. Organizations may have a policy prohibiting the storage of sensitive information on personally owned devices, but it is a very hard policy to enforced. At the very least, organizations should require the use of company owned and encrypted portable media.

5. Laptops put in “sleep” mode, as opposed to shutting them down completely, can render encryption products ineffective.  Organizations are now routinely installing full-disk encryption on their employee laptops. However, most of the leading encryption products are configured so that once the password is entered, the laptop is unencrypted (and unprotected) until the laptop is booted down. Simply putting the laptop into “sleep” mode does not cause the encryption protection to kick back in. A laptop that is lost or stolen while in “sleep” mode is therefore completely unprotected. Employees should be clearly advised to completely shut down their laptops before removing them from the workplace (e.g. when taking them home for the evening) and to only use the full shut down function, rather than “sleep” mode, when traveling or leaving their laptop unattended in an unsecure environment. This policy should be strictly enforced and audited.

6.   Mobile devices are an enforcement priority for the OCR and justify significant investment in secure technology by the covered entity. If such technology is beyond an organization’s means, then organizations shouldn’t permit mobile device access: it is inherently insecure and may end up costing your organization much more than supplying good technical safeguards.

7. Implement Electronic Protected Health Information (EPHI) security.   The biggest issue healthcare organizations face when using mobile devices and creating a BYOD policy is EPHI security. With EPHI being accessed from a multitude of mobile devices, risks of contamination of systems by a virus introduced from a mobile device used to transmit EPHI significantly increase. Mobile devices and BYOD policies leave a healthcare organization open to potential data breaches. With the increased vulnerabilities and as part of a data breach response plan, purchasing cyber liability insurance can help healthcare organizations protect themselves and the PHI they manage.

8. Healthcare organizations should work to get ahead “of the BYOD upgrade” curve by ensuring that the devices coming offline are adequately secured and checked before disposal or donation.  Given human nature, even firm and clear information security policies will be sidestepped. One area of concern with BYOD is that, by definition, the user owns and is primarily in control of the device-not IT. Once a user upgrades to a new smartphone or mobile device, the devices coming offline are almost always overlooked. Such smartphone and other devices are typically given to children to play with, donated to various charity organization or handed down to other family members-in many cases without confirmation that they’ve been sufficiently wiped and potentially leaving sensitive, confidential and other data intact. The result is a constant stream of devices going offline and posing significant data breach risks.

9. Have a proactive data management strategy.   With an increasing number of healthcare practitioners using mobile devices to access patient related information a proactive data management strategy has never been more important. The healthcare industry can adopt data protection concepts from the financial industry. For example, credit cards are now increasingly sent using tokenization technology. This technology can be adopted for the healthcare industry to allow access to patient data on an as needed basis. The goal of this strategy is to protect critical patient data through access profiles specific for mobile devices and related applications. Mobile devices accessing sensitive information will continue to grow particularly as the adoption of EMR systems continually expands and complimentary mobile applications allow for ease of access outside of the office.

10. Many health care providers are looking at developing or using apps, especially for tablets and iPhones. For those health care providers developing their own app or mobile clinic tablet, it is crucial to have the app development team sit down with the legal, privacy, and compliance counsel. This can head off all sorts of problems later on. Compliance always needs to win, and developers need to really understand that.