- It’s no secret that data encryption continues to be an IT security sore spot in the healthcare industry, but some recent Forrester Report findings reaffirm that endpoint security is a critical issue.
According to the Wall Street Journal, Forrester conducted a survey of 2,134 health IT pros and found that only 59 percent of healthcare IT professionals said they encrypt devices such as laptops, smartphones or tablets. Forrester analyst Chris Sherman, who wrote the report, told the Journal that 39 percent of healthcare security incidents since 2005 have included a lost or stolen device. “Endpoint data security must be a top priority in order to close this faucet of sensitive data,” he said.
Sherman said that some CIOs haven’t accounted for the value in patients’ Social Security numbers or credit card data when securing protected health information (PHI). Patient financial data can be tied together, called “fullz”, and then when paired with fake credit cards or licenses, called “kitz”, can bring hackers anywhere from $20-$500. Sherman advised that healthcare providers boost encryption practices and virtualize desktop and applications instead of storing data locally on devices.
Forrester’s findings reflect the industry’s needs and line up with the Department of Health and Human Services (HHS) 11 steps for securing health mobile data that it released at the end of 2012. In addition to ensuring that users maintain strong passwords, HHS recommended that data on a mobile device be infused with a valid encryption process consistent with FIPS 140-2. Read here for National Institute of Standards and Technology (NIST) guidance on the design and implementation of a cryptographic module.
These areas include cryptographic module specification; cryptographic module ports and interfaces; roles, services, and authentication; finite state model; physical security; operational environment; cryptographic key management; electromagnetic interference/electromagnetic compatibility (EMI/EMC); self-tests; design assurance; and mitigation of other attacks.
Overall, as HealthITSecurity.com contributor Bill Kleyman referenced in a 2013 article, organizations need to find new and innovative ways to secure their endpoints. These ways include mobile data-loss prevention (mobile DLP), device interrogation and geo-location services. But, regardless of which new technology they choose, organizations should consider device encryption a baseline task when onboarding new devices.