Mobile devices—thumb drives, smartphones, external hard drives, tablets and laptops—are increasingly exposing protected health information (PHI) in the healthcare space, with threat risks growing, according to the Department of Homeland Security.
Mobile devices pose significant risks for privacy incidents for healthcare organizations, providers and entities responsible for safeguarding protected health information (PHI) under Federal HITECH and HIPAA regulations. Since patient data can be moved, processed and shared via personal cell phones and tiny USB flash drives, the Bring-Your-Own-Device phenomenon can wreak havoc on a hospital. To assist healthcare entities reduce privacy incidents resulting from mobile risks, 13 experts—representing legal, data breach prevention, technology, healthcare IT, and security—offer top tips for healthcare organizations. A complete list is available at http://www2.idexpertscorp.com/resources/BestPracticesChecklists/13-security-tips-to-combat-mobile-device-threats-to-healthcare/.
Click to Tweet: 13 Security Tips to Combat Mobile Device Threats to Healthcare #PHI http://bit.ly/Lg2faq via @IDExperts
13 Security Tips to Combat Mobile Device Threats to Healthcare
1. Install USB locks on computers, laptops or other devices that may contain PHI or sensitive information, to prevent unauthorized data transfer (uploads or downloads) through USB ports and thumb drives.
Christina Thielst, FACHE, Tower Consulting
2. Consider geolocation tracking software or services for mobile devices.
Rick Kam, CIPP, president and co-founder, ID Experts
3. Brick the mobile device when it is lost or stolen.
Jon A. Neiditz , partner, Nelson Mullins Riley & Scarborough LLP
Chris Apgar, CISSP, president and CEO, Apgar and Associates, LLC
5. Laptops put in “sleep” mode, as opposed to shutting them down completely, can render encryption products ineffective.
Winston Krone, managing director, Kivu Consulting
6. Recognize that members of the workforce may use personal mobile devices to handle protected health information, even if contrary to policy.
Adam H. Greene, partner, Davis Wright Tremaine LLP
7. Don’t permit access to PHI by mobile devices without strong technical safeguards: encryption, data segmentation, remote data erasure and access controls, VPN software, etc.
Kelly Hagan, attorney, Schwabe, Williamson & Wyatt
8. Educate employees about the importance of safeguarding their mobile devices. Dr. Larry Ponemon , chairman and founder, Ponemon Institute
9. Implement Electronic Protected Health Information (EPHI) security.
Christine Marciano, president, Cyber Data Risk Managers LLC
10. Healthcare organizations should work to get ahead “of the BYOD upgrade” curve by ensuring that the devices coming offline are adequately secured and checked before disposal or donation.
Richard Santalesa, senior counsel, Information Law Group
11. Have a proactive data management strategy.
Chad Boeckman, president, Secure Digital Solutions, LLC
12. Transparency and End User Consent Opt-In.
David Allen, CTO, Locaid Technologies
13. The mobile web and “app” landscape is not your father’s Internet.
Pam Dixon, executive director, World Privacy Forum
Homeland Security Highlights the growing Threats by Mobile Devices
The Department of Homeland Security issued a report Attack Surface: Healthcare and Public Health Sector , noting that security threats against mobile devices include introduction of spyware and other malicious software; loss of treatment records or test results; and theft of patient data. The report states, “Since wireless medical devices are now connected to medical networks, IT networks are now remotely accessible through the medical device.” The rapid adoption of electronic health records (EHRs) is accelerating the use of mobile devices in medicine. Mobile devices offer convenience and almost unlimited applicability to physicians and other medical professionals—communicating with patients, collaborating with colleagues (telemedicine), ordering drugs, and inputting patient data during visits. Patients use mobile technology to access to their medical information, to refill prescriptions, or make appointments.
Security Weaknesses Exist at Many Levels
“Security weaknesses exist at many levels. Mobile devices were designed largely for consumer use and lack the ‘mature security controls’ of large computer systems, according to the report, The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security ,” said Jim McCabe, senior director, standards facilitation, American National Standards Institute. “Low-security devices are used to access PHI on high-security networks, potentially causing privacy incidents. The portable nature of mobile devices also means they are easy to lose or steal. Unencrypted data on unsecured devices—data either stored ‘onboard’ or on a SIM card—are vulnerable to exposure.”
A complete list of 13 Security Tips to Combat Mobile Device Threats to Healthcare is available at http://www2.idexpertscorp.com/resources/BestPracticesChecklists/13-security-tips-to-combat-mobile-device-threats-to-healthcare/.