Don't let inadequate security be your downfall

CLICK to Email
CLICK for Print Version

Don't let inadequate security be your downfall

Mobile devices-thumb drives, smartphones, external hard drives, tablets, and laptop computers-are creating risks for PHI exposure.

These mobile devices are increasingly exposing PHI, with the risk of privacy incidents ­increasing, ­according to the U.S. Department of Homeland ­Security (DHS).

Security threats against mobile devices include introduction of spyware and other malicious software, loss of treatment records or test results, and theft of patient data, according to the DHS report "­Attack Surface: Healthcare and Public Health Sector." It states: "Since wireless medical devices are now connected to medical networks, information technology networks are now remotely accessible through the medical device."

The rapid adoption of electronic health records is also accelerating the use of mobile devices in healthcare.

Because staff can move, process, and share patient data on personal cell phones and tiny USB flash drives, the "bring your own device" (BYOD) phenomenon is posing new challenges for healthcare organizations.

How can you help reduce privacy incidents that are the result of mobile risks?

Experts who work in legal, data breach prevention, technology, healthcare IT, and security offer 13 recommendations for consideration by your healthcare organization.


USB locks

Install USB locks on desktop computers, laptop computers, and other devices that may contain PHI or sensitive information. This step can prevent unauthorized data transfer-both uploads or downloads-through USB ports and thumb drives, says Christina Thielst, FACHE, vice president at the Tower Consulting Group, based in Playa Vista, Calif.

The device easily plugs ports as a low-cost solution and offers an additional layer of security when you ­install encryption or other software, Thielst says.

Geolocation tracking software

Consider geolocation tracking software or services for mobile devices, says Rick Kam, CIPP, president and cofounder of ID Experts in Portland, Ore. Geolocation tracking software is a low-cost insurance policy against loss or theft that can immediately track, locate, or wipe the device of all data, says Kam.

Most healthcare organizations currently lack sufficient resources to prevent or detect unauthorized patient data access, loss, or theft. Lost or stolen computing or data devices are the top reason for healthcare data breach incidents, Kam says.


'Brick' lost and stolen mobile devices

"Brick" the mobile device when it is lost or stolen, says Jon A. Neiditz, Esq., a partner at Nelson Mullins Riley & Scarborough, LLP's Atlanta office.

Employee acceptance of "remote wipe" ­processes that "brick" an entire device when it is lost or ­stolen instead of simply deleting the encrypted silo of ­corporate information has grown in the past year, Neiditz says.

Bricking an entire device is more acceptable because personal data is now more frequently backed up in cloud storage, so bricking an entire device does not ­result in data loss, and it protects employees and ­employers, he says.

Neiditz recommends healthcare organizations implement this as a first step in protecting against breaches from BYOD devices.



Encrypt, advises Chris Apgar, CISSP, president and CEO of Apgar and Associates, LLC, in Portland, Ore.

You should encrypt all mobile devices and the often-overlooked media, such as USB drives, if workforce members will use them remotely, says Apgar. The cost of encryption is modest and it is sound insurance against what has been demonstrated to be a significant risk to healthcare organizations.

Most breaches do not occur because of cybercrime, Apgar says. Rather, they are associated with people. Even if ­organizations allow employees to use their own tablets, laptop computers, and smartphones, they should require encryption if the possibility that ­sensitive data will be stored on these devices exists, Apgar says.

Organizations might have policies that prohibit the storage of sensitive information on personally owned devices, but they are very difficult to enforce, he cautions. At the very least, organiza­tions should require use of company-owned and encrypted portable media.


Shut down laptop computers

Shut down laptop computers completely instead of using sleep mode, which can render encryption products ineffective, says Winston Krone, managing director at Kivu Consulting in San Francisco.

Healthcare organizations now routinely install ­full-disk encryption on employees' laptop computers, he says.

However, most of the leading encryption products are configured so that entering a password disables encryption, leaving a laptop computer unprotected, until the laptop computer is booted down, meaning it is shut down and restarted. Simply putting a laptop computer in sleep mode does not reactivate encryption protection. A laptop computer that is lost or stolen while in sleep mode is completely unprotected.

Organizations should clearly advise workforce members to completely shut down laptop computers before removing them from the workplace and to always use the full shutdown function rather than sleep mode when traveling or leaving a laptop unattended in an unsecure environment.

Organizations should strictly enforce and audit this policy, Krone says.

Personal mobile devices

Recognize that workforce members may use personal mobile devices to handle PHI, even if it is ­contrary to your policy, says Adam Greene, JD, MPH, a partner at Davis Wright Tremaine, LLP, in Washington, D.C.

Healthcare organizations should consider documenting this in their risk assessments and ­identify safeguards established to limit inappropriate use of ­personal devices (e.g., strong policies, training, sanctions for noncompliance), Greene says.

Further reduce the risk by considering the root cause of the problem-what benefits do personal devices ­offer employees that an organization's systems lack? For example, if clinicians text PHI from personal devices because a hos­pital does not offer a similarly convenient means of communication, consider offering a secure alternative to texting, Greene says.


Strong technical safeguards

Don't permit access to PHI via mobile devices without strong technical safeguards, says Kelly Hagan, Esq., of Schwabe, Williamson & Wyatt in Portland, Ore. These safeguards include encryption, data segmentation, remote data erasure and access controls, and virtual ­private network software.

Mobile devices are an OCR enforcement priority and justify significant investment in secure technology by covered entities, Hagan says. If such technology is ­beyond an organization's means, then it should not permit mobile device access, he says. Mobile devices are inherently insecure and may end up costing the organization much more than supplying good technical safe­guards, he says.



Educate employees about the importance of safeguarding their mobile devices, says Larry Ponemon, PhD, CIPP, chairman and founder of the Ponemon Institute in Traverse City, Mich.

Risky behavior includes downloading applications and free software from unsanctioned online stores that may contain malware, turning off security settings, failing to encrypt data in transit or at rest, and failing to promptly report lost or stolen devices that may contain confidential and sensitive information.


Security of ePHI

Implement ePHI security, says Christine Marciano, president of Cyber Data Risk Managers, LLC, a data breach insurance company in Freehold, N.J.

Marciano considers ePHI the biggest issue healthcare organizations face when using mobile devices and creating a BYOD policy. Accessing ePHI from a multitude of mobile devices significantly increases the risks of system contamination by viruses introduced by mobile devices, she says.

Mobile devices and BYOD policies leave a healthcare organization open to potential data breaches.

Healthcare organizations should consider purchasing cyber liability insurance as part of their data breach response plans to protect themselves and the PHI they manage against these increased vulnerabilities, Marciano says.


Device disposal and donation

Ensure that devices coming offline are adequately secured and checked before disposal or donation, says Richard Santalesa, Esq., senior counsel at the ­Information Law Group in Fairfield, Conn.

Doing so helps ensure that a healthcare organization gets ahead of the BYOD upgrade curve, he says.

Recognize human nature for what it is, and ­anticipate that staff will sidestep even firm and clear ­information security policies, Santalesa says. One concern with BYOD is that users own and are primarily in control of their ­devices-not your IT ­department.

­Devices coming offline when users upgrade to new smartphones or mobile devices are almost always overlooked, he says.

Smartphones and other devices typically become toys for children, are donated to various charitable organizations, or given to other family members, often ­without confirmation that they've been sufficiently wiped clean. This leaves potentially sensitive, confidential, and other data intact, Santalesa says. The result is a constant stream of devices going offline and posing significant data breach risks.


Proactive data management strategy

Implement a proactive data management strategy, says Chad Boeckman, president of Secure Digital ­Solutions, LLC, in Saint Louis Park, Minn.

As an increasing number of healthcare ­practitioners use mobile devices to access patient information, ­proactive data management strategy has never been more important, he says.

The healthcare industry can adopt data ­protection concepts from the financial industry, Boeckman says. For ­example, credit cards increasingly are sent with tokenization technology. This technology can be adopted for the healthcare industry to allow access to patient data on an as-needed basis. The goal of this strategy is pro­tecting critical patient data through access profiles specifically for mobile devices and related applications.

Accessing sensitive information with mobile devices will increase, particularly with greater adoption of electronic medical record systems and complimentary mobile applications that allow easy access outside the office, Boeckman says.


Transparency and end-user opt-in

Require transparency and end-user consent opt-in, says David Allen, chief technology officer at ­Locaid Technologies in San Francisco. Clear and explicit user opt-in is essential for maintain­ing a positive brand ­perception and authenticity for any company ­collecting, sharing, and/or storing personal information, he says.

Google, Apple, and other popular smartphone applications were publicly scorned earlier this year for compiling user information, including location data, and actual names, email addresses, and telephone numbers in users' address books.

Data collection is not the ­problem; litigation focuses on the lack of transparency and consumer consent.


Not your father's Internet

Finally, always remember that the mobile Web and "app" landscape is not your father's Internet, says Pam Dixon, ­executive director of World Privacy Forum in San Diego, a n­onprofit public interest research group that focuses on privacy research, analysis, and consumer education.

Conducting a thorough technical review and risk audit of these new technologies before implementation is important, she says. Assessments must include how and when patients and/or employees will use the technology.

Many healthcare providers are considering developing or using apps, especially for tablets and iPhone® ­devices. "I've seen everything from single apps like iPhone ­glucometers to providers handing out tablets for full 'clinic in hand' programs," Dixon says.

A healthcare provider that is developing its own app or mobile clinic tablet must ensure that its development team consults legal, privacy, and compliance counsel to anticipate and prevent future problems. "­Compliance always needs to win, and developers need to really u­nderstand that," Dixon says.


Integrity of PHI at ABC Organization

The HIPAA Security Rule calls for data integrity measures ­under the Technical Safeguards section of the rule. These are:

1.A required integrity standard [164.312(a)(1)] with an ­underlying, addressable implementation specification ­calling for mechanisms to ensure the integrity of an ­organization's electronic PHI (presumably at rest).

2.An addressable implementation specification under the Transmission Security standard [164.312(e)(1)] calling for mechanisms to ensure integrity of ePHI in transit.


Since integrity is one of the three major principles of i­nformation security, along with confidentiality and ­availability, it is obvious that a covered entity's information ­security program must take steps to ensure the integrity of ­protected information.

This organization complies with HIPAA's integrity requirements through a variety of mechanisms.


Administrative mechanisms

All users with access to ePHI are required to be ­formally authorized for such access, and only when required for ­performance of one's job. (See policy XXX, procedure YYY, and form ZZZ.)

Access is granted at the minimum necessary level for job performance. For example, front desk users who do not need access to clinical data do not receive clinical ­data ­access (within the technical capabilities of the system). And users needing inquiry access only do not receive update ­capability. (See policy XXX.)

All users with access to ePHI are issued unique ­user IDs so that activity can be traced back to an individual. (See policy XXX.)

User access to ePHI requires user authentication, such as passwords, meeting organization standards. (See policy XXX and Password Standards.)

Processes are in place (a) to periodically review who has access to ePHI and (b) to frequently review logs of system activity. (See policy XXX and Information System Activity ­Review Procedures.)

The workforce receives training on use of the ePHI application(s), including performing data entry/update, and security training on (see Training Modules XXX):

  • Password management
  • Protecting the workstation and materials
  • Reporting security incidents
  • Users who no longer need access (e.g., terminations) cannot access protected systems
  • Data backup and recovery procedures are ­thoroughly documented to minimize the impact of a system failure


The mechanisms above help ensure that only users with a work-related need are granted access to ePHI, and that ­user access is limited to the data and functions ­needed (­within the technical limitations of the system). ­Training helps ensure that users with ePHI access know how to use the system(s) correctly so that they do not inadvertently corrupt data, and so that they behave in ways that prevent unauthorized access. Contingency plans including backup and recovery processes preserve data integrity in case of a system disaster.


Physical mechanisms

This organization's facility security plan (see XXX) and ­data center protections such as entry locks, backup ­power supply, temperature controls, and fire-suppression tools, help preserve ePHI integrity.


Technical mechanisms

This organization's systems containing or using ePHI employ the following features that help ensure data integrity:

  • Application-level edits on data entry fields
  • Entry fields using drop-down menus of codes instead of using free-format data entry
  • Double-keying of critical data entry fields such as manual lab results [Be sure to include only if applicable]
  • Record counters (input records, output records, error and exception records) and reporting
  • Audit trails recording access to, and activity within, the system
  • Method of recording all data adds/updates/deletes for disaster recovery


Additionally, this organization uses:

  • Antimalware software to prevent data corruption or destruction
  • Selective encryption to prevent unauthorized ­access (and, hence, lessen the possibility of data ­corruption) [Be sure to include only if applicable-refer to ­documentation of what/where/how encryption is used]
  • Selective file-integrity checking [Be sure to include ­only if applicable-refer to documentation of what product, such as Tripwire, and what files are checked, etc.]
  • Standard error-correcting memory and disk storage
  • Database integrity checking [Be sure to include only if applicable-refer to documentation of where/what/how]
  • Standard network protocols containing integrity and ­error-checking mechanisms such as CRC
  • Message hashing [Be sure to include only if applicable-refer to documentation of where/what/how]