- Did you know that 24,800 patients’ medical data could be exposed to abuse today? According to the Department of Health and Human Services (HHS), that is the number of people whose protected health information was breached per day on average in 2013.
While healthcare practitioners may not realize the blackmarket value of the data in their care, criminals certainly do. Clinicians and nurses may feel wary of security measures that might slow them down. But there are ways to improve mobile device security in a BYOD environment that will not cost precious moments in an emergency situation.
Update software promptly
Updating your software, particularly operating systems (OSes), browsers and any plug-ins, is one of the most important things you can do to minimize the vulnerabilities criminals can use to silently get into your machines. If you don’t already have auto-update enabled, as soon as you get a notice from your vendor, be sure to go directly to the vendor’s website or a reputable application store to get the update.
If you are protecting patient data, a password alone may not be enough, so consider implementing two-factor authentication. This can be a biometric such as a fingerprint or a one-time passcode that is sent to a digital key fob or a smartphone app. You can also increase your organization’s authentication security by mandating strong passwords that are changed quarterly. All digital devices should be protected with a passcode or biometric with a short time-out setting. That way, if a device falls into the wrong hands, the data is not easily accessible.
HIPAA offers a “safe harbor” loophole such that when you have properly encrypted data, both at rest and in transit, you may be able to avoid breach notification. Having encryption from the point it is sent to the point it is received minimizes criminals’ ability to get useful data, even if they do manage to breach your other defenses. Important data should be encrypted whenever it is not directly in use, meaning when it is stored on hard disks and or flash memory devices, and any time it leaves machines, such as via email, instant messaging or short message service (SMS), or transmission to/from the cloud.
Conduct regular risk assessments
You should be doing a regular risk assessment to determine what defenses you need. The Office of Civil Rights (OCR), in charge of enforcing HIPAA, will also be looking for proof of a current risk assessment in case of an audit. Don’t forget to include mobile devices, such as smartphones and tablets, and non-Windows systems (especially Mac and Linux machines) in your assessment.
Choose your own device
Having the ability to use a mobile device to check on your work-related information is a huge boon for responsiveness. Yet, it also leads to a host of problems, as those devices are easily lost or stolen, and people’s personal devices may not be protected from malicious access or inadvertent data leakage. More offices are requiring that IT staff have access to employees’ devices, either by remotely managing these devices or offering employees the choice of a mobile device with IT rules already in place. Either way, IT staff are able to scan for problematic apps or links, log activity for audits, or remotely wipe the device in case it’s lost or stolen.
Use the “least privilege” principle
This principle simply means that no person, machine or system should have access to information they do not strictly need. For example, financial data should be in a different part of the network and logistically separate from other machines and users who do not need to access it. And very few people should have administrator-level access rights on their own machine. Any time you can restrict access without disrupting people’s ability to do their job, you should.
Watch out for leaky data
There are many ways data can leak out of your organization that people may not consider. Mobile and wireless devices are a common access points for data to leave your organization. Wi-Fi hot spots need to be properly secured, using WPA2 encryption. Using a virtual private network (VPN) can help healthcare practitioners create a private network connection between their personal devices and work resources. You may also wish to disable the ability to copy and paste or print from certain applications.
Compliance, as with regulations such as HIPAA, may conjure the mental image of someone bending over backwards to follow rules. But practicing good security should not make a healthcare practitioner’s job difficult. There are a lot of criminals out there who see healthcare data as easy pickings. Protecting patients’ information is simply another way of ensuring their health and safety and with a few changes, the data becomes a much less attractive target.
Over the years, Lysa Myers, security researcher at ESET, has worked both within antivirus research labs, finding and analyzing new malware, and within the third-party testing industry to evaluate the effectiveness of security products. As a security researcher for ESET, she focuses on providing practical analysis and advice of security trends and events.