Mobile devices offer a great deal of convenience as well as nearly unlimited applicability to patients, physicians and medical professionals. Mobile devices improve ease and efficiency of communicating with patients, collaborating with physicians, ordering prescriptions or drugs and inputting patient data during visits. In addition, many patients have been using mobile technology to access their medical information, refill prescriptions or make appointments.
Unfortunately, there is also a downside to mobile devices in healthcare — a greater vulnerability to data breaches. According to the report "Attack Surface: Healthcare and Public Health Sector," by the Department of Homeland Security, mobile devices face security threats such as spyware and malicious software, loss of treatment records or test results and theft of patient data. The portability of mobile devices also means they are easy to lose or steal.
In the face of a "bring your own device" era — a phenomenon that has been growing over the past few months — healthcare executives can never have too much information on protecting patient data. BYOD encompasses smart phones, tablets and flash drives. ID Experts, a provider of comprehensive data breach solutions, offers tips from industry experts, representing legal, data breach prevention, technology and healthcare IT and security. Here are 10 tips for healthcare organizations to secure data on computers, laptops, mobile devices and flash drives in the face of the BYOD phenomenon.
- . Adopt proactive data management strategy from the financial industry.
With an increasing number of healthcare practitioners using mobile devices to access patient related information, a proactive data management strategy has never been more important. According to Chad Boeckman, president of Secure Digital Solutions, an information, compliance management and privacy company, the healthcare industry can adopt data protection concepts from the financial industry.
He says credit cards are increasingly sent using tokenization technology, a technology that replaces sensitive data with unique identification symbols that retain the essential information of the data. "This technology can be adopted for the healthcare industry to allow access to patient data on an as-needed basis," Mr. Boeckman says. "The goal of this strategy is to protect critical patient data through access profiles specific for mobile devices and related applications."
- Recognize the prevalence of personal devices.
Hospitals need to realize that members of their workforce may use personal mobile devices to handle protected health information, even if policy forbids it. According to Adam Greene, partner of Davis Write Tremain, a Seattle-based law firm, healthcare organizations should consider documenting this risk in their risk assessments. "[Hospitals should be identifying the safeguards to limit inappropriate use of personal devices, such as strong policies, training and sanctions for noncompliance," says Mr. Greene. In addition, he recommends that hospitals consider the root cause of the problem. "What benefits are personal devices offering to employees that the organization's systems are lacking?" Mr. Greene says. "For example, if clinicians are texting PHI from personal devices because a hospital does not offer a similarly convenient means of communicating, then the hospital may want to consider whether it can offer a secure alternative to texting."
- Conduct thorough risk audit for mobile application landscape.
It is important that healthcare providers conduct a thorough technical review/risk audit of the mobile web and application landscape before implementation. According to Pam Dixon, executive director of World Privacy Forum, a non-profit, non-partisan organization, which conducts research, analysis and consumer education in privacy, assessments need to include how and when the technology will be used by physicians, nurses and patients.
"Many healthcare providers are looking at developing or using apps, especially for tablets and iPhones. I've seen everything from single apps like iPhone glucometers to providers handing out tablets for full 'clinic in hand' programs. For those healthcare providers developing their own app or mobile clinic tablet, it is crucial to have the app development team sit down with the legal, privacy and compliance counsel. This can head off all sorts of problems later on," said Ms. Dixon.
- Educate employees on risky behavior.
Hospitals need to educate employees about the importance of safeguarding their mobile devices and avoiding risky behavior. According to Dr. Larry Ponemon, chairman and founder of Ponemon Institute, risky behavior includes downloading applications and free software from unsanctioned online stores that may contain malware, turning off security settings, not encrypting data in transit or at rest and failing to promptly report lost or stolen devices that may contain confidential and sensitive information.
- Encrypt all devices.
All mobile devices and USB drives should be encrypted if they will be used remotely. According to Chris Apgar, CISSP, president and CEO of Apgar and Associates, which provides privacy, information security, HIPAA, regulatory and electronic health information exchange consulting services, the modest cost of encryption provides sound insurance against a significant risk to healthcare organizations
"Most breaches do not occur because of cybercrime. They are associated with people. Even if organizations allow their employees to use their own tablets, laptops and smartphones, they should require encryption if sensitive data [may] be stored on those devices," said Mr. Apgar. Organizations may have a policy prohibiting the storage of sensitive information on personally owned devices, but it is a very hard policy to enforce. At the very least, organizations should require the use of company-owned and encrypted portable media.
- Use geolocation-tracking software.
Consider geolocation-tracking software or services for mobile devices, says Rick Kam, CIPP, president and co-founder of ID Experts. Geolocation-tracking software is the ability of a phone or security company to track the location of a phone. The majority of healthcare organizations currently lack sufficient resources to prevent or detect unauthorized patient data access, loss or theft. In addition, lost or stolen computing or data devices are the number one reason for healthcare data breach incidents. "In the future, healthcare organizations may be able to track physicians' or nurses' mobile devices they are lost while holding PHI," says Mr. Kam.
- Brick the mobile device when it is lost or stolen.
Bricking is important for the "bring your own device" era because it makes a phone completely unusable. Bricking can be used when wiping the phone of information is not enough. The term "brick" or "bricking" comes from the phrase, "making it as useful as a brick." According to Jon Neidetz, partner of Nelson Mullins Rile & Scarborough, bricking devices has picked up as an effective means to protect a phone. "In the last year, we have seen greater acceptability among employees of 'remote wipe' processes that 'brick' the entire device when it is lost or stolen, rather than just wiping the [mobile device] of corporate information, " said Mr. Neiditz.
Since personal data is often backed up in cloud storage, bricking an entire device does not result in data loss and protects the employee as well as the company. According to Mr. Kam, bricking is important because some physicians use their mobile devices as secondary authentication to access a hospital's system. "With bricking, the device becomes entirely interoperable so the mobile phone cannot be used a hacking device," says Mr. Kam.
- Install USB locks.
Hospitals should install USB locks on computers laptops and other devices that contain protected or sensitive health information to prevent unauthorized data transfer — uploads or downloads — through USB ports and thumb drives, says Christina Thielst of Tower Consulting, a nationwide executive search firm. A USB lock device doesn't cost much, easily plugs ports, and offers an additional layer of security when encryption or other software is installed. When necessary, the locks can be removed for authorized USB port use.
- Regularly shut off computers and laptops.
According to Winston Korne, managing director of Kivu Consulting, which conducts computer forensics, e-discovery and investigations for organizations, putting laptops in "sleep" mode, as opposed to shutting them down completely, can render encryption products ineffective. Healthcare organizations are now routinely installing full-disk encryption on their employee laptops.
However, most of the leading encryption products are configured so that once the password is entered, the laptop is unencrypted and unprotected until the laptop is booted down. "Simply putting the laptop into 'sleep' mode does not cause the encryption protection to kick back in. A laptop that is lost or stolen while in 'sleep' mode is therefore completely unprotected. Employees should be clearly advised to completely shut down their laptops before removing them from the workplace," said Mr. Korne.
- Clean PHI off old devices.
Healthcare organizations should work to get ahead "of the bring your own device" curve by ensuring that devices coming offline are adequately secured and checked before disposal or donation, says Richard Santalesa, senior counsel for Information Law Group. With "bring your own device," the user — not the IT department — owns and is primarily in control of the device. "Once a physician or nurse upgrades to a new smartphone or mobile device, the devices coming offline are almost always overlooked. Such smartphone and other devices are typically given to children to play with, donated to various charity organizations or handed down to other family members — in many cases without confirmation that they've been sufficiently wiped and potentially leaving sensitive, confidential and other data intact," said Mr. Santalesa. The result could be a constant stream of devices going offline and posing significant data breach risks.
With the increase of mobile devices in healthcare and the BYOD phenomenon, it is increasingly important for hospitals to stay educated on new tips and strategies for protecting their patient data. All types of mobile devices including laptops, smart phones, tablets and flash drives need to be included in security protocols. When executives can direct security for patient data to be more comprehensive and innovative, the chance of a data breach lessens.