- Hackers know that healthcare C-level executives have a lot to think about with mobile security and BYOD policies, including the volume of data flowing in and out of an organization, general absence of security controls and mixing of corporate and personal data. As Kevin Johnson, Founder and CEO of Secure Ideas, illustrated a few weeks ago at the HIMSS Privacy and Security Forum, it’s easy to get lost in the weeds when trying to keep track of all the different BYOD considerations.
Most healthcare CIOs or CISOs will begin working with mobile security by determining exactly where protected health information (PHI) resides and from there coming with a BYOD strategy. While BYOD can certainly save organizations money on dispersing corporate-owned devices, figuring out policy and control systems, incident management and knowing what’s on the device are not easy tasks for these healthcare security executives.
Johnson broke the two main privacy issues into the storage of data and transmission of data. Because data from mobile applications is stored in multiple places, it’s critical that healthcare organizations know exactly where those storage points reside. This could include the device itself, the computer synced with the device or even a file-sharing solution such as Box or Dropbox.
Communicating that data presents different types of problems, as there are various third-party sites out there and applications that use backend systems, all of which may not handle PHI securely. Further, not encrypting the data (many applications do not use encryption) or relying on HTTP particularly worrisome because the data is exposed to sources that organizations may not even be aware of. For example, Johnson said that an organization may think that cloud data is encrypted, but in reality the data is BASE64 encoded.
Another facet to the mobile security conundrum is application permissions. Johnson reminded the audience that each operating system (OS) behaves differently and on some all applications (such as iOS) are treated similarly, whereas other OSes applications are granted permission, such as Android and BlackBerry. He used an example of an Android permission interface, where the user is prompted upon an application being installed and the permissions requested are listed, with specific permissions being red-flagged. Users can accept or reject the application’s permissions, but if they try to review and modify them after the fact, the application has already gained entrance into the OS.
Check out the entire presentation.