Mobile devices such as smartphones, laptops and thumb drives are becoming increasingly vital to productivity, but your organization’s data could be at risk if one of these devices is lost or stolen. The amount of protected health information (PHI) that is transported through mobile environments is staggering and healthcare organizations have a responsibility to investigate security incidents and report PHI exposures. To protect the organization and its patients, it is crucial that IT staffs and privacy and security officers know what to do if a breach is suspected.
Having even a simple incident response plan in place that focuses on rapid identification and a coordinated response gives healthcare organizations important advantages in the fight against cyber crime. First, a plan allows IT to greatly reduce the time between the discovery of a possible exposure and the identification of any data that was compromised. Reduced response time can keep the data loss to a minimum and assists the organization in providing mandatory notification within the time frame allowed. In addition, a formal process gives IT the ability to quickly limit unauthorized access to the network and sensitive data, thus limiting the amount of information that may be exposed.
When an end user reports his or her mobile device as lost or stolen, a healthcare organization’s IT staff should immediately ask what patient data was on the device as well as what type of network or application access the device had. These questions matter because IT groups can’t assume they know which datasets and applications are resident on a mobile device. End users are an increasingly resourceful bunch, and many additions and changes are made once the device is issued. The device may also have been “jail broken” to remove manufacturer restrictions. Even in highly regulated environments, end users may have data stored in personal email accounts that sync with the device, in notepad applications or in platforms, such as Evernote.
Simultaneously, IT should also inquire if the individual had applications open or logged in when the device was lost. This information is helpful in gauging the likelihood that an unauthorized person can access the network or databases without entering a password or other login credential. Once the immediate situation has been handled, IT may also want to consider more comprehensive policies that limit how long a session lasts and require periodic authentication.
After IT has an initial view of the type of patient or other information that may be at risk due to the device’s loss, it’s time to bring general counsel into the loop. The legal department will be able to determine whether state or local breach notification laws apply, identify any regulatory requirements such as HIPAA and HITECH, then guide response activities accordingly. During an incident response, which may or may not include an investigation, General Counsel, IT, HR, management, PR, Information Security and any third-party consultants will need to coordinate and communicate carefully.
A critical requirement for mobile device security is the ability to remotely wipe data from any lost device. This should include deleting data as well as removing any applications or log-in credentials—those installed on the device by IT as well as any the end user may have downloaded themselves—that could provide a pathway into the organization’s network. This way, even if a phone or laptop is lost, anyone who finds the equipment ultimately ends up holding nothing more than a dead device. They don’t get sensitive data, and they don’t get access to protected networks.
Finally, the equipment should be removed from the list of devices authorized to login to the network, to access application portals and to download or upload data. Even if an end user assures you that his or her device was properly password protected, and even if you’re certain the remote wipe was successful, it’s important to close the loop and completely de-authorize the device from every protected location.
Deena Coffman, Chief Operating Officer of IDT911 Consulting, has broad experience providing guidance to clients adopting technology or building programs relating to data privacy, data security, and electronic discovery. She has led teams of computer forensics, information security and project management professionals, developed global technology and data management standards, negotiating complex technology contracts for cost and risk reduction, and led program audits and security assessments.