August 17, 2009
Keep Data Contained
Mobile devices offer many benefits, not the least of which is their ability to carry information virtually anywhere. However, with their deployment comes a whole new set of security challenges.
When a laptop was stolen from a locked filing cabinet in a locked office, it made Rob Israel give extra thought to the security of his organization’s mobile devices. As vice president and chief information officer (CIO) of John C. Lincoln Health Network, a Phoenix-area hospital group, Israel says he is responsible for any computerized device operated by Health Network users. “This particular laptop was brand new and had literally just been placed into service the day it was stolen,” says Israel. “Because it was so new and had hardly even been used that day, it wasn’t a huge risk of data loss.”
Had there been critical data stored on the device, the situation could have been disastrous. After all, there have been numerous cases where it’s happened to other organizations. “It’s almost every month that you read a story about information walking out the door and showing up in an inappropriate place,” says Israel.
In fact, a survey conducted jointly by Deloitte & Touche and the Ponemon Institute found that 85% of privacy and security professionals acknowledge that a reportable data breach has occurred within their organization. Even more alarming, 66% report multiple data breaches.
Israel says Lincoln’s health network had protected itself with powerful technology solutions, which allowed the group to ultimately retrieve the stolen laptop. “Through Lumension [a provider of operational end-point security options], we had some rock-solid solutions in place, such as remote machine management control, through which we are able to restrict what is written down and stored on our mobile devices,” he says. “And we also have asset tracking. In the case of the stolen laptop, a week later, when it was connected to the Internet, we received notification and were able to track and retrieve the device based on the IP address where it was connected.”
Many healthcare organizations rely on mobile technology to function. Smartphones, laptops, and PDAs, among other mobile devices, have become much-used and much-needed assets in today’s healthcare environment. While these devices can make life easier, they become a special challenge when sensitive data are stored on them. For healthcare organizations, protecting patient records, financial data, and other critical information is a major concern, and mobile devices, in particular, can make that difficult.
“By design, mobile devices are portable, and that can mean they tend to be more easily lost or taken than a device that stays put in an organization,” says Jon Ramsey, chief technology officer at SecureWorks, a provider of security services. “Whether it’s because the device was being shipped somewhere and got lost, was accidentally left somewhere, or was even stolen, the fact is that these devices do wind up missing—and that’s a problem.”
Besides critical data loss, missing or stolen mobile devices may also have financial repercussions. A study by the Ponemon Institute in conjunction with Intel found that the average cost to the enterprise of a stolen or lost laptop can be nearly $50,000 once you factor in not only the replacement of the device but also intellectual property loss, lost productivity, and even forensics, if the company goes that far. The report, which looked at 138 laptop loss incidents from 29 different companies, breaks down the cost this way:
• laptop replacement cost: $1,582;
• detection and escalation cost: $262;
• forensics and investigation cost: $814;
• data breach cost: $39,297;
• intellectual property loss: $5,871;
• lost productivity cost: $243; and
• other legal and regulatory costs: $1,117.
Even if the mobile device remains in the possession of the employee, it could still be at risk of being compromised by a hacker when taken out into the “real” world. “When a device is disconnected from the corporate network, it doesn’t get important updates such as antivirus software and antispyware,” says Ramsey. “Say a machine is compromised while plugged in at a hotel. Once it comes back to the office and gets reconnected with the network, you now have a situation where the infected device is attacking the corporate network.”
Fortunately, there are many software and technology-based solutions that organizations can implement to prevent data loss, whether intentional or by accident. For Israel, device control was one effective solution. “This essentially allows organizations to establish policies around how storage devices are hooked up to their computers and how data is permitted to move onto or off of those devices,” explains Don Leatham, senior director of solutions and strategy at Lumension. “Organizations have the ability to limit which users are allowed to connect portable storage devices and what they’re doing once they do connect them.”
Leatham adds that vulnerability assessment capabilities and patch management are also critical for protection. “A large majority of data breaches occur when malware attacks known vulnerabilities,” he says. “Simply making sure that all servers, desktops, laptops, and mobile devices are scanned and updated with the latest patches—as soon as they come onto the network, if possible—is one of the most unglamorous yet incredibly important things an organization can do to protect itself. If you look at one of the more famous recent malware attacks from a virus known as Conficker, it was almost a nonevent among corporate customers and people who continually patch their machines because this piece of malware took advantage of a known vulnerability and could be easily prevented with a single patch.”
To make sure all machines within his network are frequently updated, Israel says he has automated the process through Lumension. “Automatic patch management allows us to automate the process of rebooting the equipment. That way, all devices get the necessary updates,” he explains. “It will give users a countdown, warning them that they must reboot the machine within 72 hours. Just recently, I was in a conference room right before a presentation was about to start and the speaker’s laptop was saying it had to be rebooted because it had been sitting there unused for a while. Once the time runs out, you can’t do anything until you reboot. It may have prevented the presentation from starting on time, but it proved that the system works.”
Encryption is another key element to consider, adds Campbell. When loading information onto a mobile device, it’s important to realize that the information is not only accessible on that one device but essentially detectable by other devices as well. “It’s crucial to make sure that information is well encrypted so that it’s not easily compromised,” he says. “Once the information is on the device, you want it locked to only that one application which registers that it has the rights to use that information. This way no other application can be written to get at that information.”
Remote wipe capabilities are another helpful solution for devices frequently traveling beyond the confines of the organization, notes Philip Lieberman, CEO and president of Lieberman Software, a company providing enterprise solutions for security and systems management. “We use this technology ourselves,” he says. “If somebody tries to log on to the device unsuccessfully more than three times, it will wipe the machine. Or, if we know we lost the device, we can send a kill code to it.”
Besides protecting sensitive data, Lieberman adds that devices with a wipe capability lose their value to a thief, making them more likely to be returned. “We put a ‘return if found’ address on our mobile devices,” he says. “If the device is unusable, the thief is better off returning it and getting a reward fee than hanging on to it.”
While wipe capabilities are often effective for preventing data loss, Campbell points out that in order for the remote kill command to work on a mobile device, the device must be turned on and connected to the network. If the connection is turned off, the thief essentially has access to that device. “Going one security level beyond the remote kill switch is activating a lease key,” explains Campbell. “This would allow the information to be accessible for only a configurable amount of time when not connected to the network. If that time is exceeded, and the verification can’t be made, the information would be locked. It allows an organization to decide how uncomfortable they are with the information getting out there and then set the time limit as low as they want based on that level of comfort.”
Enforcing Policies and Procedures
Effective policies and procedures should be written and based around the healthcare organization’s specific needs. Having flexibility that allows policies and procedures to apply to individual users and specific technology capabilities is also important.
“I encourage healthcare organizations to recognize if they have groups doing proprietary or publishable research,” says Leatham. “Research is essentially intellectual property. While the focus tends to be around protecting patient information, organizations that do research are likely creating intellectual property. While protecting patient data is obviously crucial, it’s also important that these organizations are considering protection of their intellectual property within their policies.”
It’s also vital that employees realize that any policies and procedures in place within the walls of an organization should be adhered to when outside the walls as well, advises Noack. “The healthcare providers that have access to critical information on a mobile device need to stick to procedure whether they’re in their car or on the floor of the hospital,” she says. “It should be enforced that policies and procedures apply wherever and whenever employees are using one of the facility’s mobile devices.”
Ramsey adds that there’s a lot of common sense to protecting mobile devices outside of the organization, but that doesn’t mean employees shouldn’t be educated on minimizing the risk of these removable forms of media. Many individuals aren’t overly cautious with their own personal devices, so they may need guidance. “For example, employees should be reminded not to leave these types of devices in their car in plain sight, or they risk someone doing a smash and grab,” he says. “Or, when you take a laptop home, don’t allow your kids to use it to browse the Web because Web sites are one of the most popular infection vectors. These are commonsense practices, but sometimes employees need to be reminded.”
While setting policies and procedures can help ensure that the proper steps are being taken to protect mobile devices both inside and outside of the organization, making sure employees are educated about those policies is another matter. In general, says Leatham, employees should be well trained and well schooled on both the technology and the policies and procedures that have been implemented. “Organizations also need to protect themselves against employees who may be in a position to leak data which is not policy enforced or protected with technology,” he adds. “Make this a serious issue with employees. One way to do this would be to require them to sign paperwork verifying they received training and understand what they’re being told.” Such a strategy makes employees accountable for helping the organization protect data.
“Policies and procedures are great, but the problem is that you can’t expect your end users to remember and understand them all,” says Israel, who adds that John C. Lincoln Health Network may have as many as 5,000 policies in place dealing with everything from absenteeism to trash removal. “Sometimes just having the policy can put you at even greater risk by becoming complacent; you just assume it’s being followed. The key to making policy and procedure truly effective is communication. You need to constantly reeducate people on why these policies are in place, whether it be through e-blasts, memos, or whatever other means is effective at your organization.”
Additionally, there’s the problem of employees not adhering to policy and procedure. The reason? It’s not developing the right policies and procedures but rather establishing justified penalties. “I don’t believe there’s a lot of real corporate or personal motivation financially or otherwise to prevent data loss from happening,” says Lieberman. “I’m not aware of any CIO getting fired for a security breach or even of any bonus or salary being affected either. There appears to be almost zero personal accountability for the security posture and response mechanisms at the C-level and IT operations level of most organizations. If the company suffers a multimillion dollar loss due to poor security policy adherence, there are not personal penalties.”
Making It Work
Israel says there’s no better way to do that than to work closely with the end users who will be operating the devices on a daily basis. It can take time, but coming up with solutions that work for everyone—and being highly communicative about any policies and procedures established—is critical. Adds Israel: “Don’t just implement a bunch of security options for the sake of claiming you’re more secure. Take the time to actually work with the end users and a flexible vendor, and you’ll have the best possible system in place.”— Lindsey Getz is a freelance writer based in Royersford, Pa.