Mobile devices — thumb drives, smartphones, external hard drives, tablets and laptops — are increasingly exposing protected health information (PHI) in the health care space, with threat risks growing, according to the Department of Homeland Security. Mobile devices pose significant risks for privacy incidents for healthcare organizations, providers and entities responsible for safeguarding protected health information (PHI) under Federal HITECH and HIPAA regulations. Since patient data can be moved, processed and shared via personal cell phones and tiny USB flash drives, the “bring your own device” phenomenon can wreak havoc on a hospital. To assist health care entities in reducing privacy incidents resulting from mobile risks, ID Experts has rounded up top security tips from experts — representing legal, data breach prevention, technology, health care IT, and security — for health care organizations.
Click through for tips from security experts from across the industry to help keep mobile health care information safe, as identified by ID Experts.
Install USB locks on computers, laptops or other devices that may contain PHI or sensitive information, to prevent unauthorized data transfer (uploads or downloads) through USB ports and thumb drives.
– Christina Thielst, FACHE, vice president, Tower Consulting Group
The device easily plugs ports for a low cost solution and offers an additional layer of security when encryption or other software is installed. The locks can be removed for authorized USB port use.
Consider geolocation tracking software or services for mobile devices.
– Rick Kam, CIPP, president and co-founder, ID Experts
Geolocation tracking software is a low-cost insurance policy against loss or theft that can immediately track, locate, or wipe the device of all data. The majority of health care organizations currently lack sufficient resources to prevent or detect unauthorized patient data access, loss or theft. And lost or stolen computing or data devices are the number one reason for health care data breach incidents.
Brick the mobile device when it is lost or stolen.
– Jon A. Neiditz, partner, Nelson Mullins Riley & Scarborough LLP
In the last year, ID Experts has seen greater acceptability among employees of "remote wipe" processes that "brick" the entire device when it is lost or stolen, rather than just wiping the encrypted silo of corporate information, for example. The reason that bricking the entire device is more acceptable, in their view, is that personal data is now more frequently backed up in cloud storage, so the bricking of the entire device does not result in data loss, and protects the employee as well as the company. This is the first tip in the context of BYOD programs.
Encrypt.
– Chris Apgar, CISSP, president and CEO, Apgar and Associates, LLC
All mobile devices and the often-overlooked media, such as USB drives, should be encrypted if they will be used remotely. The cost of encryption is modest and is sound insurance against what has been demonstrated to be a significant risk to health care organizations. Most breaches do not occur because of cyber crime. They are associated with people. Even if organizations allow their employees to use their own tablets, laptops and smartphones, they should require encryption if there is a possibility sensitive data will be stored on those devices. Organizations may have a policy prohibiting the storage of sensitive information on personally owned devices, but it is a very hard policy to enforce. At the very least, organizations should require the use of company owned and encrypted portable media.
Laptops put in "sleep" mode, as opposed to shutting them down completely, can render encryption products ineffective.
– Winston Krone, managing director, Kivu Consulting
Health care organizations are now routinely installing full-disk encryption on their employee laptops. However, most of the leading encryption products are configured so that once the password is entered, the laptop is unencrypted (and unprotected) until the laptop is booted down. Simply putting the laptop into "sleep" mode does not cause the encryption protection to kick back in. A laptop that is lost or stolen while in "sleep" mode is therefore completely unprotected. Employees should be clearly advised to completely shut down their laptops before removing them from the workplace (e.g. when taking them home for the evening) and to only use the full shut down function, rather than "sleep" mode, when traveling or leaving their laptop unattended in an unsecure environment. This policy should be strictly enforced and audited.
Recognize that members of the work force may use personal mobile devices to handle protected health information, even if contrary to policy.
– Adam H. Greene, partner, Davis Wright Tremaine LLP
Health care organizations should consider documenting this risk in their risk assessments, identifying the safeguards in place to limit the inappropriate use of personal devices (such as strong policies, training, and sanctions for noncompliance). To further reduce the risk, consider the root cause of the problem — what benefits are personal devices offering to employees that the organization's systems are lacking. For example, if clinicians are texting PHI from personal devices because a hospital does not offer a similarly convenient means of communicating, then the hospital may want to consider whether it can offer a secure alternative to texting.
Don't permit access to PHI by mobile devices without strong technical safeguards: encryption, data segmentation, remote data erasure and access controls, VPN software, etc.
– Kelly Hagan, attorney, Schwabe, Williamson & Wyatt
Mobile devices are an enforcement priority for the OCR and justify significant investment in secure technology by the covered entity. If such technology is beyond an organization's means, then organizations shouldn't permit mobile device access: It is inherently insecure and may end up costing your organization much more than supplying good technical safeguards.
Educate employees about the importance of safeguarding their mobile devices.
– Dr. Larry Ponemon, chairman and founder, Ponemon Institute
Risky behavior includes downloading applications and free software from unsanctioned online stores that may contain malware, turning off security settings, not encrypting data in transit or at rest, and not promptly reporting lost or stolen devices that may contain confidential and sensitive information.
Implement Electronic Protected Health Information (EPHI) security.
– Christine Marciano, president, Cyber Data Risk Managers LLC
The biggest issue health care organizations face when using mobile devices and creating a BYOD policy is EPHI security. With EPHI being accessed from a multitude of mobile devices, risks of contamination of systems by a virus introduced from a mobile device used to transmit EPHI significantly increase. Mobile devices and BYOD policies leave a health care organization open to potential data breaches. With the increased vulnerabilities and as part of a data breach response plan, purchasing cyber-liability insurance can help health care organizations protect themselves and the PHI they manage.
Health care organizations should work to get ahead of the "BYOD upgrade" curve by ensuring that the devices coming offline are adequately secured and checked before disposal or donation.
– Richard Santalesa, senior counsel, Information Law Group
Given human nature, even firm and clear information security policies will be sidestepped. One area of concern with BYOD is that, by definition, the user owns and is primarily in control of the device — not IT. Once a user upgrades to a new smartphone or mobile device, the devices coming offline are almost always overlooked. Such smartphone and other devices are typically given to children to play with, donated to various charity organization or handed down to other family members — in many cases without confirmation that they've been sufficiently wiped and potentially leaving sensitive, confidential and other data intact. The result is a constant stream of devices going offline and posing significant data breach risks.
Have a proactive data management strategy.
– Chad Boeckman, president, Secure Digital Solutions, LLC
With an increasing number of health care practitioners using mobile devices to access patient-related information a proactive data management strategy has never been more important. The health care industry can adopt data protection concepts from the financial industry. For example, credit cards are now increasingly sent using tokenization technology. This technology can be adopted for the health care industry to allow access to patient data on an as needed basis. The goal of this strategy is to protect critical patient data through access profiles specific for mobile devices and related applications. Mobile devices accessing sensitive information will continue to grow particularly as the adoption of EMR systems continually expands and complimentary mobile applications allow for ease of access outside of the office.
Transparency and end-user consent opt-in.
– David Allen, CTO, Locaid Technologies
For any company collecting, sharing and/or storing personal information, clear and explicit user opt-in is key to maintaining a positive brand perception and authenticity. In spring 2012, Google and Apple, and a handful of popular smartphone applications were publicly scorned for compiling user information, including location data, and actual names, emails and phone numbers of contacts in users' address books. With numerous privacy lawsuits arising out of these cases, the important facet to recognize is that these companies are not under scrutiny for collecting the data; they're in trouble for not being transparent and obtaining consent with consumers.
The mobile Web and "app" landscape is not your father's Internet.
– Pam Dixon, executive director, World Privacy Forum
It's important that health care providers conduct a thorough technical review/risk audit of these new technologies before implementation. Assessments need to include how and when the technology will be used by patients and/or employees. Many health care providers are looking at developing or using apps, especially for tablets and iPhones, including everything from single apps like iPhone glucometers to providers handing out tablets for full "clinic in hand" programs. For those health care providers developing their own app or mobile clinic tablet, it is crucial to have the app development team sit down with the legal, privacy, and compliance counsel. This can head off all sorts of problems later on. Compliance always needs to win, and developers need to really understand that.
