Survey sounds alarm on BYOD security


Security isn't high on the list of priorities among healthcare providers who have adopted or are considering a bring-your-own-device (BYOD) strategy, according to a recently released survey. As a result, officials warned, many healthcare organizations may be violating HIPAA guidelines for protecting sensitive patient data.

"They're not keeping pace with the changes in technology," said Rick Dakin, CEO and chief security strategist for Coalfire, the Louisville, Colo.-based IT governance, risk and compliance firm that conducted the survey. "And this isn't just a minor shift – it's the tectonic plates of IT shifting."

According to the survey, conducted in July among 400 individuals in a wide range of industries across North America, 49 percent of those responding said their IT departments haven't discussed security issues on mobile devices with them, and 51 percent say their companies don't have the capability of remotely wiping data from a device if it is stolen or lost.

“The BYOD trend is not slowing down, and while it has many benefits, it’s also introducing a number of new security risks that may be foreign to many companies,” Dakin said in a press release accompanying the survey. “The results of this survey demonstrate that companies must do much more to protect their critical infrastructure as employees work from their own mobile devices, such as tablets and smartphones, in the workplace. Companies need to have security and education policies in place that protect company data on personal devices.”
In analyzing the healthcare-specific aspects of the survey, Dakin said he noticed some disturbing trends. For example, he said, while providers might have security systems in place to protect data on PCs, less than half had similar controls in place for mobile devices. In addition, he said, providers aren't conducting annual audits to identify new threats, new environments, and new and justified controls, as required by HIPAA.

"Clearly, that's not happening in the healthcare industry," he said.

And while healthcare is embroiled in a debate over whether hospitals should allow BYOD policies or govern which devices can be brought in, Dakin said they're missing the point. BYOD or no BYOD, he said, physicians, staff and especially patients still bring their smartphones into a hospital, and a large percentage of them access their e-mail and/or Facebook during their free time.

Avoiding a BYOD policy "just says they're not paying attention to a risk that is in place today," he said. "The BYOD problem is here, and it's here in spades. There's no turning back – there's no turning off smartphones."

In a September blog post on mHIMSS.org, Brian Phelps, an emergency room doctor and president of Montrue Technologies, questioned whether BYOD policies can ensure the proper protections for data stored on and transmitted via mobile devices.

"How can health IT departments keep track of all these devices and keep them secure?" he asked. "Can IT departments, already stretched to the brink with meaningful use, really troubleshoot all these different devices and different operating systems? Everywhere I’ve worked, the help desk seemed quite busy enough."

According to Dakin, the easiest manner in which to ensure security of data on mobile devices is to make sure the applications are secure. That means researching the apps on the market and holding vendors accountable for the security of their products.

"It's unfathomable…that somebody can introduce healthcare apps with no security provisions," he said.

Dakin said healthcare providers might not be taking the threat seriously. During this year's HIMSS12 conference in Las Vegas, he said, he attended a session on BYOD in which the chief technology officer of a large healthcare system said he doesn't worry about HIPAA because "we have Apple devices and Apple devices are inherently secure."

"My jaw hit the floor," Dakin said.

The Coalfire survey pointed out concerns not just with businesses, but with their employees as well. For example:

  • 84 percent of individuals stated they use the same smartphone for personal and work issues.
  • 47 percent reported they have no passcode on their mobile phone.
  • 36 percent re-use the same password.
  • Despite the growing awareness, 60 percent are still writing down passwords on a piece of paper. There is progress, however, as 24 percent reported using a password management system, 11 percent are saving an encrypted document on their desktop and 7 percent have a document saved on their desktop.

The issues of privacy and security on mobile devices are being debated in many corners, from the Wireless-Life Sciences Alliance's Convergence Summit earlier this year in San Diego to the recent mHealth World Congress in Boston and the Institute for Health Technology Transformation's HIT Summit in Seattle. This December, following the mHealth Summit in Washington D.C., Healthcare IT News will convene its own privacy and security summit in Boston. Included in that two-day conference is a panel discussion focusing on security practices for mobile devices.

It's even drawn the attention of Congress. In June, Sen. Al Franken (D-Minn.) introduced the "Protect Our Health Privacy Act of 2012," which calls on the federal government to "require all covered entities to encrypt portable devices that store protected health information." His bill would also restrict medical contractors' use of protected health information and require agencies to report to Congress on any information they receive regarding privacy breaches and any enforcement action they take.

Franken also wrote a letter to Health and Human Services Secretary Kathleen Sebelius, urging her to take action.

"It is imperative the HHS use its regulatory authority to safeguard patient data and secure patient trust," he wrote. "I urge you to issue long overdue, statutorily required guidance on the 'minimum necessity' standard, which governs the type and amount of protected health information that entities can share. I also ask that you continue to take steps to address the security of protected health information that is stored on portable media, like laptops."

Add new comment