January 14, 2013
Left to Their Own Device
By Susan Chapman
For The Record
Vol. 25 No. 1 P. 14
As the number of healthcare professionals toting their personal mobile devices to work increases, so does the risk of a subsequent security breach.
As mobile technology advances, hospitals and other healthcare facilities are increasingly evolving into bring-your-own-device (BYOD) environments. This transformation challenges organizations to remain HIPAA compliant while addressing issues such as device and application management, and vulnerability to malicious attacks.
Aruba Networks’ 2012 Healthcare Mobility Trends survey revealed that 85% of healthcare facilities support their physicians and staff using personal devices at work. However, the level of use varies. For instance, 53% of organizations limit users to Internet access, 24% provide limited access to hospital applications, and only 8% enable full access to the hospital network.
Nearly the same percentage of facilities (83%) supports using an iPad. Additionally, 65% support using the iPhone and iPod touch. Also of note, in healthcare settings, BlackBerry use outpaces that of Android-based devices, with 52% of organizations supporting BlackBerry and 46% supporting Android. Sixty percent of healthcare facilities support EHR applications on mobile devices.
With the proliferation of mobile devices comes a greater risk of security issues. Stu Sjouwerman, founder and CEO of KnowBe4, a security-training company, believes that the only way BYOD can work is if the individual healthcare organization supplies the devices and apps. “This is very tough on private offices, though,” he says. “In hospitals, it can be difficult as well because doctors, responsible for life-and-death situations, place certain demands on the facility and its IT department.”
When healthcare staff can use personal devices at work, there are some mobile tools that are easier to manage than others because of their design. For instance, iPad apps are sandboxed, meaning each application also is its own storage container. And if an app has its own security, it can be isolated within the device. An example would be an app featuring e-mail, contacts, a calendar, a Web browser, and a file repository that securely keeps all that information without interacting with the rest of the device.
In many environments, if users want their personal mobile device on the network, they must register for mobile device management, which is server based. From that point forward, an application would exist on the device and check in with the mobile device management. Over time, the server would send policies and configuration profiles offering features such as access to the facility network. In this scenario, users enter into an agreement with the facility to use their own device with the caveat that the hospital can control access to the internal network and other features.
Personal laptops pose different issues. With these devices, owners typically maintain administrator rights, meaning they can change settings and install and uninstall applications at any time. In essence, the healthcare facility lacks control.
Smart organizations will create a policy that when users bring laptops into the hospital environment, they must allow a new administrator account to be created, relinquish their administrative rights, and make an agreement that the device can be wiped of information at any time. Additionally, users should enroll in mobile device management, agree to password strength requirements, and run antivirus and antimalware software on a regular basis.
One solution to help mitigate this complicated process is to run a virtual machine on the user’s PC. Much like running a computer session remotely, this process keeps the laptop isolated and does not interact with the rest of the computer. It also means that no files reside on the laptop itself. Instead, all files are stored on the computer’s remote session. Essentially, the user is on a different computer that is being controlled and secured from a remote location.
Sjouwerman says that although there are processes and safeguards available, BYOD invites numerous risks into the hospital setting. “IT often gets marching orders that are incomplete,” he says. “They have to get things done on time, but hackers can get through. The facility has to be HIPAA compliant, which means that the devices must go through a series of application controls, but that doesn’t always happen. It just depends on the IT group and the demands that are placed on it.”
Angela Dinh Rose, MHA, RHIA, CHPS, director of HIM solutions at AHIMA, agrees that it is safer and smarter for facilities to supply personal devices. However, that’s not always economically feasible. She also points out that current HIPAA regulations addressing protected health information (PHI) are not cut-and-dried, leaving room for interpretation.
“Covered entities must protect PHI,” Dinh Rose says. “HIPAA security regulations protect all electronic PHI regardless of medium. These regulations mandate facilities to physically protect data and maintain an inventory record of equipment. There also must be policies and procedures that regulate the use of mobile devices, and users should have to sign a user agreement before using their devices.”
Dinh Rose says strict IT policies are in place at AHIMA. “For instance, we can access our e-mail on our personal devices, but we have to give permission that our devices can be wiped at any time,” she notes.
Organizations can follow several safe-practice guidelines, Dinh Rose says. For example, IT might permit information to be passed through a mobile device but not be stored. Also, every few months, users could be required to bring their devices to IT to make sure security and encryption still exist.
Lisa Sotto, head of the privacy and data security practice at the law firm of Hunton & Williams LLP and managing partner of its New York office, believes business and personal technology tools often are commingled and will continue in that direction for the foreseeable future. “There is incentive for organizations to have staff purchase their own devices; it’s much cheaper,” she says. “But with mobile devices comes the greater chance of mischief and a reduced ability to see what’s going on.”
The proliferation of mobile devices has changed the security landscape. “We require encryption of business data on a mobile device and the ability to wipe that data off the device no matter where the device is located,” Sotto says. “So even if the device is lost or stolen, we can take the necessary precautions to ensure the integrity of the data.”
According to Sotto, an increasing number of clients has adopted audit trail capability to track who is viewing and changing data. “Regardless of where you access data, if you are doing so through the employer’s network, there can be robust audit trails,” she says. “We also have to be sure that in the event of legal action, these devices remain available for discovery purposes and can be accessed to allow the hospital to produce documents requested in litigation. The same holds true for separation. If an employee leaves the organization, we need to be able to retrieve the business data on the device.”
Malicious Attack Risks
Experts concur that combating nefarious behavior is an issue in a BYOD environment. “We’re facing cyber security attacks as cyber criminals seek personal data and intellectual property,” Sotto says. “There is a precarious balance between the rewards and dangers of BYOD in the healthcare environment.”
One of the biggest threats to security, particularly in a BYOD setting, is social engineering, a technique hackers use to prey on human vulnerabilities to gain access to information. “The two main ways cyber criminals access individuals’ devices are by sending e-mails that either must be opened to prevent a negative consequence or offer you something for free,” Sjouwerman says. “Once an unsuspecting user opens such an attachment, the owner’s password can be accessed or malware can infect the device. The latter can not only infect the individual’s personal device, but it can also spread across the network to every mobile device.”
Sjouwerman’s list of BYOD “gotchas” that can lead to security breaches include weak passwords; nonencrypted data (a particular danger because mobile devices are prone to being stolen); accessing social media, a known “breeding ground” for social engineering attacks; the lack of virus and malware protection; and connections to unknown wireless networks.
“Only a small percentage of IT departments is completely aware of the mobile devices regularly accessing their networks,” he says. “That makes it difficult to train employees in proper security protocols and acceptable use policy and give them security awareness training. All of this raises the danger of a damaging data breach occurring.”
If a user is hacked, it’s important that the breach be handled from the top down, Sjouwerman adds. IT security experts need to analyze what type of data have been accessed and their level of confidentiality. “There are consequences when a hospital is exposed,” he says. “And the cost may not be worth it. That said, there is insurance for these occurrences that is still affordable. Hospitals should take care to be covered.”
Sotto and Sjouwerman stress that training is critical to help keep information safe in a BYOD setting. Both note that people are the human firewall in this type of environment and must have the knowledge to keep information secure.
“The problem is that mobile device security has not kept pace with mobile device crime,” Sotto says. “Criminals go where the money is, and the money is in mobility, so it’s vital to be aware of the risks. BYOD is a major paradigm shift. It’s a battle in the ongoing war of security vs. usability—and usability is winning.”
One of the most overlooked aspects of mobile device security is making certain that healthcare organizations take it seriously. “HIPAA mandates that there be security awareness training, which helps to ensure that people are not tricked by social engineering,” Sjouwerman says. “But usually hospitals treat this training like yearly sexual harassment seminars. We test our clients by sending them two bogus e-mails a month to see if anyone opens them. If a user does open a suspicious e-mail, then we schedule additional training.”
As mobile devices become more sophisticated and attractive to the general public yearning for the latest and greatest, the situation at healthcare facilities figures to only get more complicated.
“Mobile devices are still a hot topic,” Sotto says. “Every time a new one comes along, [privacy experts] have to figure out something new. But we’re in a nascent stage, and we don’t have a perfect solution.”
— Susan Chapman is a Los Angeles-based writer and author.
Lessons of the Unencrypted
Last October, The Daily Progess reported that an on-call pharmacist at the University of Virginia (UVa) Medical Center had lost a handheld device containing more than 1,500 unencrypted patient medical records. According to a notice from the medical center, published on December 1, 2012, information on the device may have included details such as “patients’ names, addresses, diagnoses, medications and health insurance identification numbers that in some instances are Social Security numbers.”
Those affected were patients treated by continuum home infusion in September 2012 and individuals referred to the home IV service from August 2007 through September 2012. UVa states that the incident could impact 1,846 medical records. However, the medical center also offers that the device is likely lost, not stolen, and that the data, which do not include banking or credit card information, have not been accessed or used.
“Lost devices are a reality,” says Angela Dinh Rose, MHA, RHIA, CHPS, director of HIM solutions at AHIMA. “This could easily happen in any organization. It’s important to make sure that all protected health information, or PHI, is safeguarded where it resides. Organizations have to have full inventory of all devices and must be sure that PHI isn’t stored on the devices, as not all handheld devices have encryption.”
UVa Medical Center, which is now encrypting all its handheld devices, began notifying patients of the security breach on November 30, 2012, and opened a dedicated call center on December 3. Robert “Bo” Cofield, associate vice president for hospital and clinics operations, told The Daily Progress that the delay in notification was necessary to allow time for “forensic work to identify exactly what information was on the device and complying with various state and federal regulations tied to notification requirements.”