healthcare byod

Healthcare BYOD can result in data security problems.

Brand Barney, SecurityMetrics
By: Brand Barney
Would it surprise you to learn that over 90% of healthcare uses mobile devices in some way in their practice? Maybe you already know that healthcare apps are already becoming mainstream for doctors around the nation. (Fun fact: In 2013, there were over 97,000 health-related apps!)

Here’s the problem. Mobile devices, like smartphones, tablets, and laptops can present some serious vulnerabilities in healthcare organization networks.

healthcare byod
What does that mean? Well, it means that patient data could be in jeopardy if mobile devices aren’t properly secured. And most aren’t. Most healthcare providers who use mobile devices aren’t putting in place appropriate privacy and security protections to secure patient data. Not to mention…unsecured mobile devices definitely don’t contribute to HIPAA compliance efforts.

How can providers, hospitals, etc. embrace the mobile future, but still remain secure? Keep reading to find out.

See also: 5 Tips to HIPAA Compliant Mobile Devices

Risks of healthcare mobile devices

Hmm, the risks of mobile devices to the healthcare industry . . . where to start?
  • Mobile devices are very easy to lose, and are extremely easy to steal by someone with bad intentions. I cannot name the number of times I have been in a healthcare environment and have seen mobile devices that could have easily been swiped without anyone noticing. That brings up an interesting thought; does that mobile device with PHI on it ever leave your organization?
  • The technology itself is valuable, and it has valuable data (patient information) on it.
  • Hardly anyone in healthcare uses a password to protect access into the smartphone or tablet.
  • Doctors typically don’t encrypt the emails they send or receive on mobile devices.
  • And then, there’s BYOD . . .
See also: Balancing mobile convenience and PHI security.

BYOD

healthcare mobile devicesWhen discussing mobile devices, there are two types in healthcare. The organization-purchased device dedicated only to and kept only at work, and doctors bringing in their own devices. Can you guess which is least secure?

Let me tell you why.

When a provider brings in his/her own personal smartphone or tablet to access patient data, that devices does not have security regulations in place, and is also made vulnerable by other apps on the device. With each downloaded app, the risk grows.

(Did you know 85% of hospitals allow clinicians to connect personal devices to the hospital’s Wi-Fi?)

What about others who have access to that mobile device when the doctor isn’t in the office? I guarantee physicians, dentists, office managers, etc., let their kids play with their personal/work smartphone. What if the kid accesses patient data? Technically, that would be a HIPAA violation.

What if the kid or owner of the smartphone accidentally downloads a malicious app that can read the keyboard patterns of the user? The next time the doctor accesses his patient data, that malware can steal the password to the EHR.

Because of all these issues that come along with the convenient BYOD strategy, there are a few precautions you should follow to comply with HIPAA and ensure patient data security.

How can I secure my mobile devices?

Honestly, the best mobile security advice I can give you is: don’t implement a BYOD strategy.

But in today’s world, that’s slightly impractical. Here are some mobile best practices for healthcare.

Follow common sense mobile security practices
There are some obvious things you should and shouldn’t be doing with your patient-data-accessing-mobile device. For example:
  • DO accept all OS and app updates immediately. Just like computers, mobile devices must be patched often to eliminate software or hardware vulnerabilities found after initial release.
  • DON’T ever connect to unsecured Wi-Fi. Period. (Check out this post for more wireless security best practices.)
  • DO use discretion when downloading apps. Even if apps look legitimate, they may be infected with malware that could compromise patient data, and cause a serious data breach.
  • DON’T use a jailbroken mobile device to access patient data. It weakens the security of the device, and may open holes that malware could sneak through.
  • DO make sure the devices you plug your mobile device into (e.g., your home computer, work laptop, etc.) are secure. If your computer isn’t secure, it could act as a portal for hackers to gain access to your mobile device.
  • DON’T forget to implement a password/pin on your mobile device. It’s not foolproof, but it’s another layer of security.
  • DO connect to your EHR via secured remote access (either a VPN or through two-factor authentication)
NIST mobile guidelines
Luckily, The National Institute of Standards and Technology (NIST) released some fantastic mobile guidelines for healthcare security engineers and providers that explain how tools can be used to secure patient information.

Here’s a summary of the most important takeaways from those mobile suggestions:
    SecurityMetrics MobileScan
  • Mobile devices should be individually authorized to add, modify, remove, access Protected Health Information
  • Passcode protection should be enabled
  • Encrypt mobile devices
  • Mobile devices should only access a specific Wi-Fi (WPA2) created for mobile devices
  • Each mobile device needs to be registered with the organization
  • Enable certificates to help prove the authenticity of users and devices
  • Enable security policies for mobile security
  • Use role-based access
Download a free security app
NIST gives some great guidelines to secure healthcare’s mobile devices. It might be prudent to add another: download a security app on your phone. For example, MobileScan is a free app for either Android or Apple that will help you identify the risks on your specific smartphone or tablet.

Remember: mobile is still very unsecure

Consider this my disclaimer:

Mobile is one of the least secure technologies out there. Because they are so interconnected, because downloading apps is so easy, and because they lack most hardware protections that typical computers have, they are still considered very weak devices.

It is important to remember that many healthcare organizations are losing data in droves by not protecting and training their employees on how to protect their mobile devices.

Don’t let your devices (and patient data) walk out the door!
That being said, follow the best practices I’ve outlined above, and you should significantly lessen the risk of a mobile device being the gateway to a patient data breach.

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.


HIPAA learning center, SecurityMetrics