Healthcare providers who wish to take advantage of the burgeoning capabilities of mobile devices such as smartphones, tablets and laptops must be aware of the security risks that open up through use the latest technology.
As you assess your mobile strategy and how you will take charge of your patients' protected health information (PHI), consider the following 13 tips, contributed by information security experts.
1. Consider USB locks. These can be for your computer, laptop or any other device that may contain PHI or sensitive information, said Christina Thielst, vice president at Tower Consulting Group. A USB lock can help prevent unauthorized data transfer — whether uploads or downloads — through USB ports and thumb drives. "The device easily plugs ports for a low-cost solution and offers an additional layer of security when encryption or other software is installed," she said. "The locks can be removed for authorized USB port use."
2. Try geolocation tracking software or services. Rick Kam, president and cofounder of ID Experts, said this software is a low-cost insurance policy against loss or theft that can immediately track, locate or wipe a device of all data on it. "The majority of healthcare organizations currently lack sufficient resources to prevent or detect unauthorized patient data access, loss or theft," he said. "And lost or stolen computing or data services are the number one reason for healthcare data breach incidents."
3. 'Brick' the device if it becomes lost or stolen. "In the last year, we have seen greater acceptability among employees of 'remote wipe' processes that 'brick' the entire device when it's lost or stolen, rather than just wiping the encrypted silo of corporate information, for example," said Jon Neiditz, partner at Nelson Mullins Riley & Scarborough LLP. The reason, he continued, that bricking the device is more acceptable is because personal data is now more frequently backed up in cloud storage, "so the bricking of the entire device doesn't result in data loss," he said.
4. Encrypt, encrypt, encrypt. All mobile devices, including often overlooked hardware such as USB drives, should be encrypted if they are going to be used remotely, said Chris Apgar, president and CEO at Apgar and Associates. "The cost of encryption is modest and is sound insurance against what has been demonstrated to be a significant risk to healthcare organizations," he said. "Most breaches do not occur because of cybercrime – they are associated with people."
5. Forget about 'sleep mode.' According to Winston Krone, managing director at Kivu Consulting, most of the leading encryption products that organizations are "routinely installing" are configured so that once the password is entered, the laptop is unencrypted and therefore, unprotected, until it's booted down. "Simply putting the laptop into 'sleep' mode doesn't cause the encryption protection to kick back in," he said. "A laptop that is stolen while in 'sleep' mode is therefore completely unprotected."
6. Recognize that employees will use personal devices. This is true even if it's contrary to policy, said Adam Greene, partner at Davis Wright Tremaine LLP. "Healthcare organizations should consider documenting this in their risk assessments, identifying the safeguards in place to limit the inappropriate use of personal devices," he said. To further reduce this risk, he continued, consider the root cause of the problem. "What benefits are personal devices offering to employees that the organization's systems are lacking?"
7. Use strong safeguards to permit access to PHI through mobile devices. Mobile devices are an enforcement priority for the Office of Civil Rights and justify significant investment in secure technology by the covered entity, said Kelly Hagan, attorney at Schwabe, Williamson & Wyatt. "If such technology is beyond an organization's means, then organizations shouldn't permit mobile device access," she said. "It is inherently insecure and may end up costing your organization much more than supplying good technical safeguards."
8. Educate employees on the importance of safeguarding their mobile devices. "Risky behavior includes downloading applications and free software from unsanctioned online stores that may contain malware, turning off security settings, not encrypting data in transit or at rest, and not promptly reporting lost or stolen devices that may contain confidential and sensitive information," said Larry Ponemon, chairman and founder of the Ponemon Institute.
9. Implement electronic protected health information (EPHI) security. Christine Marciano, president at Cyber Data Risk Managers, said the biggest issue healthcare organizations face when using mobile devices and creating a bring-your-own-device (BYOD) policy is EPHI security. "With EPHI being accessed from a multitude of mobile devices, risks of contamination of systems by a virus introduced from a mobile device used to transmit EPHI significantly increase," she said. "Mobile devices and BYOD policies leave a healthcare organization open to potential data breaches."
10. Work to get ahead of the "BYOD upgrade curve." Organizations should ensure that devices coming offline are adequately secured and checked before disposal or donation, said Richard Santalesa, senior counsel at Information Law Group. "Given human nature, even firm and clear information security policies will be sidestepped," he said. "One area of concern with BYOD is that, by definition, the user owns and is primarily in control of the device — not IT." Once a user upgrades to a new smartphone, he continued, the devices coming offline are almost always overlooked.
11. Have a proactive data management strategy. With an increasing number of healthcare practitioners using mobile devices to access patient information, said Chad Boeckman, president of Secure Digital Solutions, a proactive data management strategy has never been more important. "The healthcare industry can adopt data protection concepts from the financial industry," he said. "For example, credit cards are now increasingly sent using tokenization technology." This technology, he added, can be adopted for the healthcare industry to allow access to patient data on an as-needed basis.
12. Keep in mind transparency and end-user consent opt-in. "For any company collecting, sharing, and/or storing personal information, clear and explicit user opt-in is key to maintaining a positive brand perception and authenticity," said David Allen, CTO at Locaid Technologies. "In spring 2012, Google, Apple and a handful of popular smartphone applications were publicly scorned for compiling user information, including location data and actual names, emails, and phone numbers." With privacy lawsuits rising, Allen continued, it's important to recognize these companies have gotten in trouble for failing to remain transparent with obtaining consent with consumers.
13. Remember that the mobile Web and "app" landscape is not your father's Internet. Pamela Dixon, executive director at World Privacy Forum, said it's important that healthcare providers conduct a thorough technical review/risk audit of these new technologies before implementation. "Assessments need to include how and when the technology will be used by patients and/or employees," she said. "Many healthcare providers are looking at developing or using apps, especially for tablets and iPhones…For those healthcare providers developing their own app or mobile clinic tablet, it's crucial to have the app development team sit down with the legal, privacy and compliance counsel."