December 2013
Take Steps to Ensure Mobile Device Security
By Gary Glover, CISSP, CISA, QSA, PA-QSA
For The Record
Vol. 25 No. 16 P. 8
Managing security in the face of new HIPAA regulations truly is a challenge. But managing patient data on a mobile device? It’s even more daunting.
Consider this scenario: A physician with a small practice downloads electronic protected health information (ePHI) to his personal tablet. He doesn’t have a mobile security policy, but he tries his best not to lose the device or download questionable material. Despite his best intentions, he is surprised when several months later he learns the seemingly innocuous flashlight app he downloaded has resulted in compromised patient records.
Many health care organizations are unaware of the regulations they’re required to follow and therefore can’t state with certainty whether they’re in compliance. In fact, only 15% believe HIPAA requirements specify the protection of regulated data on mobile devices, according to the Ponemon Institute.
Some organizations falsely assume PHI automatically will be protected because mobile devices are technologically advanced and marketed as being secure. Because some encryption is considered safe harbor under the HIPAA Security Rule, other organizations rely solely on device encryption without fully understanding its implementation.
Risks of Using a Mobile Device
Loss and theft aside, there are several ways mobile devices could be harmful to PHI. Other risks include lack of authentication, mobile malware, unsecured Wi-Fi networks, outdated operating systems, and accidental data disclosure through sharing the mobile device with friends, family, or coworkers.
No matter the type of technology, health care providers are obligated to protect PHI. If a smartphone or tablet is used to access, transmit, receive, or store information, it must have certain security precautions in place.
What You Need to Know About Passcodes
According to a 2012 Manhattan Research study, 62% of physicians use tablets for professional purposes. It may be convenient to use mobile devices as portable computers to access records at all times, but professionals must not allow convenience to outweigh security.
While it’s true that enabling a four-digit passcode will prevent patients waiting in exam rooms from getting into an unobserved office tablet, it may not keep a hacker from accessing PHI. Technically, a four-digit password takes only 10,000 tries to crack. Choosing a longer password and enabling the setting that wipes your device of data after 10 failed passcode attempts will help avoid this problem.
In a best-practice scenario, mobile device passcodes should be at least eight characters, contain alphanumeric and special characters, and not contain dictionary words (such as nurse1 or ilovebaseball). Both Android and iOS devices allow users to bypass the typical four-digit PIN and implement these complex alphanumeric passcodes via a simple device setting change.
The Truth About Mobile Encryption
Encryption is an addressable implementation specification under the technical safeguards of the HIPAA Security Rule. If someone hacks into a device, encryption renders files useless by masking them as a string of indecipherable characters.
Many have heard about the encryption safe harbor rule that generally states if an encrypted device is lost, the organization isn’t required to notify Health and Human Services (HHS) of a security breach. HIPAA rules may not always state the specifics surrounding regulations, but they often do cite “industry best practices” as the standard by which they determine compliance.
Although HIPAA regulations don’t specify the encryption that falls under safe harbor status, industry best practice would be to use AES-128 or Triple DES (or better) encryption. Mobile encryption is encouraged, but it’s important to remember it’s not a failsafe. After all, most mobile devices aren’t equipped with safe harbor–qualified encryption.
For example, Apple’s Data Protection API encrypts the built-in mail app only on iPhones and iPads—and only after the user enables a passcode. Encryption does not apply to calendars, contacts, texts, or anything synchronized with iCloud. Some third-party apps that use Apple’s Data Protection API also are encrypted, but that’s rare.
Keep in mind that encryption is only as secure as the device’s passcode. If someone steals a mobile device, information protected by the Data Protection API remains encrypted only if the thief doesn’t know the decryption key. Android’s encryption program works similarly, requiring a password to decrypt a mobile device each time it’s unlocked. Additionally, if you back up a mobile device on the hard drive, ensure the backups are encrypted.
Though encryption on mobile devices doesn’t necessarily meet HIPAA best practice recommendations, there are other options for further securing a mobile device.
Ensure Employees Follow Security Policies
Does your organization have a mobile device use policy? If so, are you following it? If your organization allows staff members to bring their own devices, are they required to register them?
In every industry, employees accidentally or purposefully place regulated data at risk. More than 75% of employees may circumvent or disable security features on mobile devices that contain regulated data, according to the Ponemon Institute. It’s important for an organization to develop and implement appropriate mobile security policies.
The following are issues to be addressed in HIPAA mobile security policies:
• mobile password length requirements;
• procedures to enable available mobile encryption on all devices;
• ePHI storage and access policies;
• stolen/lost device procedures;
• bring-your-own-device regulations; and
• noncompliance accountability.
Don’t be an organization that creates policies only to forget or ignore them soon thereafter. Regular policy training, which helps employees remember organizational guidelines, is an important component of any worthwhile mobile security program.
Update Operating Systems and Apps
Older operating systems and app versions tend to have errors and outdated encryption implementations. They also are unlikely to be considered best practice by the HHS. Just like computers, mobile devices must be updated often to eliminate any software or hardware vulnerabilities found after initial release.
It’s important to note that updates must occur for each app installed on the device. If just one insignificant app that doesn’t even access ePHI is vulnerable, it may be possible for cybercriminals to exploit its weakness and retrieve all of the device’s data.
Fortunately for health care employees, updating mobile device operating systems and software often is simple and doesn’t take a lot of time.
Your Best, Most Secure Option
Configuring a mobile device for only health care office use is a great option to secure smartphones or tablets. Under this strategy, the ability to install apps, connect to the Internet, access device settings, and make or receive calls is disabled. When the device is on, it’s dedicated to a single app used to access patient data.
Another HIPAA-compliant solution is to eliminate storing sensitive patient data on phones or tablets by accessing only data stored on other secure systems. Sensitive data could be stored on a private back-end server, where mobile devices could be used to access or display the ePHI. If the server is connected to a secure internal network and not exposed to the public Internet, this solution is fairly low risk.
If staff members need data access on a mobile device while outside the organization’s network, they should use an encrypted virtual private network (VPN) to create a secure tunnel back into the internal network. Unless an attacker has the correct credentials to connect to the VPN, data remain protected.
It’s also good practice to download a mobile vulnerability app. While not foolproof, this scanning tool is an easy way to search for common vulnerabilities found on mobile devices for quick remediation and to discover whether devices are rooted.
Protecting and securing health information while using a mobile device is a health care provider’s responsibility. It should be part of a risk management plan that’s reviewed and updated annually.
— Gary Glover, CISSP, CISA, QSA, PA-QSA, is director of security assessment for SecurityMetrics.