How to ensure a lost mobile device won’t cause a data breach
■ A practical look at information technology issues and usage
Physicians who own mobile devices should make the following assumption: If they lose a smartphone or tablet, someone is going to try to see what’s on it.
With an estimated 80% of physicians using a mobile device on the job, a lot of patient data is vulnerable to breaches unless steps are taken to protect it. Data encryption is the one thing that protects physicians from having to report a breach if data go missing. But ensuring data encryption on a mobile device can be a little tricky. At the least, there are other ways to help ensure that data aren’t accessed if you happen to leave your phone behind in a taxi or at a restaurant.
“It’s very tempting, when you get something, to look at it,” said David Finn, health information technology officer for Symantec, an Internet security software firm. “So the easiest thing to do is make it a little harder for people to look at it.”
This year, employees at Symantec “lost” 50 smartphones across five cities as an experiment to see what people would do with the found devices.
Of the 50 phones, there was an attempt to return half of them. But 96% of the people who attempted to return a phone looked at data stored on them, said Kevin Haley, director of product management for Symantec Security Response.
Some of it could be chalked up to them looking at data in an attempt to find the owner, he said. But the owner was clearly identified in the contact list, and other data were accessed even after the contact list was opened. Eight out of 10 finders overall tried to access corporate information that was clearly identified with labels such as “HR Salaries” or “HR Cases.” In addition, 43% tried to access bank accounts from a banking app, many going back for more attempts after initially receiving error messages, but later finding a file labeled “saved passwords.”
How to protect mobile data
Encryption is a little more complex when used in conjunction with a mobile device because of the varying types of data that are sent, received and stored, and the varying types of technology.
For larger practices and hospital groups undergoing an organizationwide deployment of mobile devices, a mobile device management firm will take the lead in compliance issues. But there are several steps physicians and small practices can take to help ensure compliance with the Health Insurance Portability and Accountability Act privacy and security provisions.
The first step is picking the right device. Finn said explaining to the mobile device vendor exactly what you will use the phone for and what you need to have encrypted will help them better match you to the appropriate phone and/or security apps.
Encryption is a security feature that uses unique “keys” that can be unlocked using passcodes, passwords or other means to ensure information and data are only viewable or accessible to key holders. Phone calls can be encrypted by scrambling the communication to anyone outside the two people on the call.
Some devices have encryption for all or some of the data included in the phones. Others require downloading apps to provide the service. There are many available apps in each device’s app store that can be purchased or downloaded. Finn said some of the available apps are great, and others are not so good. Some can be cumbersome to use or hard to understand. Reading reviews at the app stores and getting advice from previous users and employees at the mobile phone companies will help find the best solutions.
Once you have the appropriate device and necessary encryption or security apps, the first layer of defense against snoops is a passcode lock for the device. Though a four-digit passcode isn’t foolproof, it does offer good protection, especially if it’s set up to lock or remotely wipe the device after a pre-set limit of failed login attempts has been reached.
Without a limit, “you can enter a password 3,000 times and it just keeps letting you try. With four characters, someone’s going to get it if they want in that badly,” Finn said.
The ability to remote wipe a lost device is also crucial to security, Finn said. However, users must be aware that a remote wipe would wipe not only any personal health information on the device but also any contacts or personal data that were not backed up.
Once a layer of protection has been placed on access to the phone itself, physicians can take security one step further and add another layer between the main menu of the phone and access to confidential files and apps.
Many apps available for smartphones offer automated logins, which means that when you touch the icon to open the application, you automatically enter the website without having to provide a password. Enacting a required login to applications that carry personal information belonging to either patients (a cloud-based electronic health record, for example) or the smartphone user, will add another layer of protection.
The Symantec experiment, for example, found that 60% of finders of lost phones tried to access social media apps on the phones, which would have given them access to the device owner’s Facebook pages, Twitter feeds and all of the information found on those sites.
Lee Reiber, director of mobile forensics at the security firm AccessData, said users should not assume that data on a cloud-based app are safe. The data must be localized to read information on the phone. Therefore, data are residing on the actual device, if only temporarily. The Symantec experiment also found that about half of the phone finders attempted to open an app used for remote access to a company computer. Had they been successful, they could have accessed not only data on the smartphone and the desktop computer but also the internal network to which that computer was connected.
Reiber said physicians need to think about what happens to the devices after an upgrade. He recently conducted his own experiment, for which he bought five used phones from Craigslist and eBay. Information such as email accounts, contact lists, text messages and pictures with geolocation data was uncovered, despite being encrypted. In some cases, Reiber was able to restore passwords for email accounts that were active on the phones.
Even if users think they have protected the data, “anyone that has a forensic background or forensic tools can bypass these types encryption,” Reiber said. These are the people who will be looking for used devices to buy. Before donating or selling a used device, Reiber said, users should restore the operating system back to the factory settings.
The Dept. of Health and Human Services has been pushing data encryption as a preferred method of data protection for some time. Under HIPAA, encryption is strongly encouraged and required unless there’s a technology limitation or some other compelling reason encryption is not possible. Federal law says the presence of encryption is a safe harbor that would negate a health care organization’s obligation to report a data breach. Practices should talk to their attorneys to help ensure that any privacy and security protections placed on their mobile devices are HIPAA-compliant.
In most cases, breaches happen not because people have malicious intents. The real lesson, Haley said, is that “people are not evil, but curious. So we really need to protect this data.”