Risk
6/22/2012
05:45 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%

13 Security Tips To Combat Mobile Device Threats To Healthcare

Risks to patient data growing, as cited by Department of Homeland Security

PORTLAND, Ore. - June 13, 2012 - Mobile devices-thumb drives, smartphones, external hard drives, tablets and laptops-are increasingly exposing protected health information (PHI) in the healthcare space, with threat risks growing, according to the Department of Homeland Security. Mobile devices pose significant risks for privacy incidents for healthcare organizations, providers and entities responsible for safeguarding protected health information (PHI) under Federal HITECH and HIPAA regulations. Since patient data can be moved, processed and shared via personal cell phones and tiny USB flash drives, the Bring-Your-Own-Device phenomenon can wreak havoc on a hospital. To assist healthcare entities reduce privacy incidents resulting from mobile risks, 13 experts-representing legal, data breach prevention, technology, healthcare IT, and security-offer top tips for healthcare organizations. A complete list is available at http://www2.idexpertscorp.com/resources/BestPracticesChecklists/13-security-tips-to-combat-mobile-device-threats-to-healthcare/.

Click to Tweet: 13 Security Tips to Combat Mobile Device Threats to Healthcare #PHI http://bit.ly/Lg2faq via @IDExperts

13 Security Tips to Combat Mobile Device Threats to Healthcare 1. Install USB locks on computers, laptops or other devices that may contain PHI or sensitive information, to prevent unauthorized data transfer (uploads or downloads) through USB ports and thumb drives. Christina Thielst, FACHE, Tower Consulting The device easily plugs ports for a low cost solution and offers an additional layer of security when encryption or other software is installed. The locks can be removed for authorized USB port use.

2. Consider geolocation tracking software or services for mobile devices. Rick Kam, CIPP, president and co-founder, ID Experts Geolocation tracking software is a low-cost insurance policy against loss or theft that can immediately track, locate, or wipe the device of all data. The majority of healthcare organizations currently lack sufficient resources to prevent or detect unauthorized patient data access, loss or theft. And lost or stolen computing or data devices are the number one reason for healthcare data breach incidents.

3. Brick the mobile device when it is lost or stolen. Jon A. Neiditz, partner, Nelson Mullins Riley & Scarborough LLP In the last year, we have seen greater acceptability among employees of "remote wipe" processes that "brick" the entire device when it is lost or stolen, rather than just wiping the encrypted silo of corporate information, for example. The reason that bricking the entire device is more acceptable, in our view, is that personal data is now more frequently backed up in cloud storage, so the bricking of the entire device does not result in data loss, and protects the employee as well as the company. This is the first tip in the context of BYOD programs.

4. Encrypt. Chris Apgar, CISSP, president and CEO, Apgar and Associates, LLC All mobile devices and the often-overlooked media, such as USB drives, should be encrypted if they will be used remotely. The cost of encryption is modest and is sound insurance against what has been demonstrated to be a significant risk to healthcare organizations. Most breaches do not occur because of cybercrime. They are associated with people. Even if organizations allow their employees to use their own tablets, laptops and smartphones, they should require encryption if there is a possibility sensitive data will be stored on those devices. Organizations may have a policy prohibiting the storage of sensitive information on personally owned devices, but it is a very hard policy to enforced. At the very least, organizations should require the use of company owned and encrypted portable media.

5. Laptops put in "sleep" mode, as opposed to shutting them down completely, can render encryption products ineffective. Winston Krone, managing director, Kivu Consulting Healthcare organizations are now routinely installing full-disk encryption on their employee laptops. However, most of the leading encryption products are configured so that once the password is entered, the laptop is unencrypted (and unprotected) until the laptop is booted down. Simply putting the laptop into "sleep" mode does not cause the encryption protection to kick back in. A laptop that is lost or stolen while in "sleep" mode is therefore completely unprotected. Employees should be clearly advised to completely shut down their laptops before removing them from the workplace (e.g. when taking them home for the evening) and to only use the full shut down function, rather than "sleep" mode, when traveling or leaving their laptop unattended in an unsecure environment. This policy should be strictly enforced and audited.

6. Recognize that members of the workforce may use personal mobile devices to handle protected health information, even if contrary to policy. Adam H. Greene, partner, Davis Wright Tremaine LLP Healthcare organizations should consider documenting this risk in their risk assessments, identifying the safeguards in place to limit the inappropriate use of personal devices (such as strong policies, training, and sanctions for noncompliance). To further reduce the risk, consider the root cause of the problem-what benefits are personal devices offering to employees that the organization's systems are lacking. For example, if clinicians are texting PHI from personal devices because a hospital does not offer a similarly convenient means of communicating, then the hospital may want to consider whether it can offer a secure alternative to texting.

7. Don't permit access to PHI by mobile devices without strong technical safeguards: encryption, data segmentation, remote data erasure and access controls, VPN software, etc. Kelly Hagan, attorney, Schwabe, Williamson & Wyatt Mobile devices are an enforcement priority for the OCR and justify significant investment in secure technology by the covered entity. If such technology is beyond an organization's means, then organizations shouldn't permit mobile device access: it is inherently insecure and may end up costing your organization much more than supplying good technical safeguards.

8. Educate employees about the importance of safeguarding their mobile devices. Dr. Larry Ponemon, chairman and founder, Ponemon Institute Risky behavior includes downloading applications and free software from unsanctioned online stores that may contain malware, turning off security settings, not encrypting data in transit or at rest, and not promptly reporting lost or stolen devices that may contain confidential and sensitive information.

9. Implement Electronic Protected Health Information (EPHI) security. Christine Marciano, president, Cyber Data Risk Managers LLC The biggest issue healthcare organizations face when using mobile devices and creating a BYOD policy is EPHI security. With EPHI being accessed from a multitude of mobile devices, risks of contamination of systems by a virus introduced from a mobile device used to transmit EPHI significantly increase. Mobile devices and BYOD policies leave a healthcare organization open to potential data breaches. With the increased vulnerabilities and as part of a data breach response plan, purchasing cyber liability insurance can help healthcare organizations protect themselves and the PHI they manage.

10. Healthcare organizations should work to get ahead "of the BYOD upgrade" curve by ensuring that the devices coming offline are adequately secured and checked before disposal or donation. Richard Santalesa, senior counsel, Information Law Group Given human nature, even firm and clear information security policies will be sidestepped. One area of concern with BYOD is that, by definition, the user owns and is primarily in control of the device-not IT. Once a user upgrades to a new smartphone or mobile device, the devices coming offline are almost always overlooked. Such smartphone and other devices are typically given to children to play with, donated to various charity organization or handed down to other family members-in many cases without confirmation that they've been sufficiently wiped and potentially leaving sensitive, confidential and other data intact. The result is a constant stream of devices going offline and posing significant data breach risks.

11. Have a proactive data management strategy. Chad Boeckman, president, Secure Digital Solutions, LLC With an increasing number of healthcare practitioners using mobile devices to access patient related information a proactive data management strategy has never been more important. The healthcare industry can adopt data protection concepts from the financial industry. For example, credit cards are now increasingly sent using tokenization technology. This technology can be adopted for the healthcare industry to allow access to patient data on an as needed basis. The goal of this strategy is to protect critical patient data through access profiles specific for mobile devices and related applications. Mobile devices accessing sensitive information will continue to grow particularly as the adoption of EMR systems continually expands and complimentary mobile applications allow for ease of access outside of the office.

12. Transparency and End User Consent Opt-In. David Allen, CTO, Locaid Technologies For any company collecting, sharing and/or storing personal information, clear and explicit user opt-in is key to maintaining a positive brand perception and authenticity. In spring 2012, Google and Apple, and a handful of popular smartphone applications were publicly scorned for compiling user information, including location data, and actual names, emails and phone numbers of contacts in users' address books. With numerous privacy lawsuits arising out of these cases, the important facet to recognize is that these companies are not under scrutiny for collecting the data; they're in trouble for not being transparent and obtaining consent with consumers.

13. The mobile web and "app" landscape is not your father's Internet. Pam Dixon, executive director, World Privacy Forum It's important that health care providers conduct a thorough technical review/risk audit of these new technologies before implementation. Assessments need to include how and when the technology will be used by patients and/or employees. Many health care providers are looking at developing or using apps, especially for tablets and iPhones. I've seen everything from single apps like iPhone glucometers to providers handing out tablets for full "clinic in hand" programs. For those health care providers developing their own app or mobile clinic tablet, it is crucial to have the app development team sit down with the legal, privacy, and compliance counsel. This can head off all sorts of problems later on. Compliance always needs to win, and developers need to really understand that.

Homeland Security Highlights the growing Threats by Mobile Devices The Department of Homeland Security issued a report Attack Surface: Healthcare and Public Health Sector, noting that security threats against mobile devices include introduction of spyware and other malicious software; loss of treatment records or test results; and theft of patient data. The report states, "Since wireless medical devices are now connected to medical networks, IT networks are now remotely accessible through the medical device." The rapid adoption of electronic health records (EHRs) is accelerating the use of mobile devices in medicine. Mobile devices offer convenience and almost unlimited applicability to physicians and other medical professionals-communicating with patients, collaborating with colleagues (telemedicine), ordering drugs, and inputting patient data during visits. Patients use mobile technology to access to their medical information, to refill prescriptions, or make appointments.

Security Weaknesses Exist at Many Levels "Security weaknesses exist at many levels. Mobile devices were designed largely for consumer use and lack the "mature security controls" of large computer systems, according to the report, The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security," said Jim McCabe, senior director, standards facilitation, American National Standards Institute. "Low-security devices are used to access PHI on high-security networks, potentially causing privacy incidents. The portable nature of mobile devices also means they are easy to lose or steal. Unencrypted data on unsecured devices-data either stored "onboard" or on a SIM card-are vulnerable to exposure."

A complete list of 13 Security Tips to Combat Mobile Device Threats to Healthcare is available at http://www2.idexpertscorp.com/resources/BestPracticesChecklists/13-security-tips-to-combat-mobile-device-threats-to-healthcare/.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-4988
Published: 2014-07-09
Heap-based buffer overflow in the xjpegls.dll (aka JLS, JPEG-LS, or JPEG lossless) format plugin in XnView 1.99 and 1.99.1 allows remote attackers to execute arbitrary code via a crafted JLS image file.

CVE-2014-0207
Published: 2014-07-09
The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.

CVE-2014-0537
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-0539
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-3309
Published: 2014-07-09
The NTP implementation in Cisco IOS and IOS XE does not properly support use of the access-group command for a "deny all" configuration, which allows remote attackers to bypass intended restrictions on time synchronization via a standard query, aka Bug ID CSCuj66318.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.