Business Associates and Mobile SecurityQuestions to Ask Vendors Handling Patient Info
To ensure compliance with the HIPAA Omnibus Rule, covered entities should demand that their business associates take certain security precautions to protect sensitive health information stored on mobile devices, says consultant Bill Miaoulis.
That's because even when healthcare organizations or their business associates encrypt their mobile computing devices, they often neglect other steps that can help prevent data breaches, says Miaoulis, founder of HIPAA Security and Privacy Advisors LLC, an independent consulting firm, in an interview with Information Security Media Group [transcript below].
Under the HIPAA Omnibus Rule, business associates as well as their subcontractors are liable for HIPAA compliance if they "receive, create, maintain or transmit protected health information on behalf of a covered entity."
So, when vetting their business associates, Miaoulis encourages organizations to inquire about security and privacy practices when handling protected health information.
"Where do you plan to store it?" he says. "How do you plan to secure it? Before I trust you with my patients' information, there's a risk to me because if someone gets it off your ... laptop, I'm the one that has to report it to the [Department of Health & Human Services]."
In the interview, Miaoulis also discusses:
- Why healthcare providers and business associates often fail to encrypt mobile devices;
- Common mistakes organizations make with encryption;
- Steps organizations can take to provide secure remote access to health data using mobile devices.
Miaoulis, founder of HIPAA Security and Privacy Advisors in Birmingham, Ala., has 20 years of experience in healthcare security, and he previously worked in the energy and banking industries. He was the first information security officer at UAB Health Systems in Birmingham, a post he held for almost seven years. He also was corporate information security officer and HIPAA consulting service leader Phoenix Health Systems. Miaoulis is also author of the book, Preparing for a HIPAA Security Compliance Assessment, which was published by American Healthcare Information Management Association.
Lack of Mobile Encryption
MARIANNE KOLBASUK MCGEE: As you know, many of the biggest health data breaches to date have involved unencrypted mobile devices. Why aren't health organizations and their business associates encrypting their mobile devices?
BILL MIAOULIS: I've asked that question numerous times myself. I've often joked that the three rules of security this year are encrypt, encrypt, encrypt. ... Nowadays, there are tools and techniques that make it so much easier ... whether it's the thumb drives or whether it's the actual laptop computers.
People sometimes will [raise concerns about] cost. Quite frankly, cost is no longer a problem because if you had to, if you're a small organization, there are some open-source encryption tools that you could use that meet the criteria. When I ask why they won't do it, I think they just don't realize that they have not done a good cost analysis, or a business impact analysis, and realize the resources required to implement encryption are small compared to the huge amount of fines and penalties, plus the loss of reputation [if there's a breach]. ...
Common Encryption Mistakes
MCGEE: What are the common mistakes that organization make with encryption? And are those mistakes by healthcare providers much different from the mistakes that business associates make?
MIAOULIS: The biggest mistakes they're making if they encrypt is that they want to make sure that they're encrypting all data and have a process where people are not going around the encryption technology. I mentioned thumb drives. It's great to have encrypted thumb drives, but if I can go to any store basically and buy a USB drive, plug it in and get the data unencrypted, that's one of the common mistakes. Make sure that when someone plugs into your computer, the only device that is accepted would be the encrypted device, or you've done it through some level of policy and procedure. This is where it gets a little more complicated, but that's one mistake.
Another mistake is people will say, "My laptop is encrypted. My thumb drives are encrypted. But I'll just send this via an e-mail to my home." Now the data has left the healthcare organization in an unencrypted manner and now resides on the home computer, which creates many vulnerabilities and concerns for us in healthcare or any industry.
Business associates are just now learning that they need to follow good, sound security practices. Like anything, some of them know; some don't. Some know they're covered by HIPAA; some don't. It's that whole education, and this hopefully will help people realize that they need to say, "What is my risk, the unencrypted data that someone can get?" ...
Preventing Mobile Data Breaches
MCGEE: Besides using encryption, what else should organizations be doing to prevent breaches involving mobile gear?
MIAOULIS: There are a couple things. Some are just training users in simple techniques. I'll give a couple of examples in this area. One is if you're going from one location to another, you need to do the same thing as if it's your purse. Don't wait until you get to the venue to put your laptop in the trunk where someone can see you put it in; you do it from the point you leave. If you think about a woman putting her purse in, do that when you leave your house if you want to carry your purse but not take it in. Don't wait until you get to the venue and then put it where someone could see you opening the trunk and closing it. There's a training element to make people aware of not losing devices, encrypted or not. ...
There are other things, such as thinking about data, where it is and protecting it overall. We want to make sure that people don't write their passwords and keep it with their laptop. In other words, if I find your bag and inside your bag you've got a listing of your passwords in a notebook, then they can certainly break the encryption and the risk would be too high.
Managing Mobile Access to Patient Info
MCGEE: What security steps should organizations take in terms of managing mobile users' access to patient data while they're using these devices? For instance, what kinds of ID and access management or authentication should be used when mobile devices are used to access patient data remotely?
MIAOULIS: ... There's not a consistent standard such as one-time passwords or tokens. ... If you consider what you see when you go into banking applications, that's more of where we're probably going, and some organizations get it. ... If it's the first time you have accessed a site from a mobile device, then you have to answer an additional question before you're allowed to authenticate. Even Facebook does this. ...
If you look at banking, sometimes when you log into their system to help prevent phishing, they'll say, "Is this your picture?" The picture might be a tennis racket; it might be a Greek column; it might be a fish; it might be a soccer ball. But they give you a choice of which ones you can look at every time you go to that banking site.
There are other controls that get implemented when you're going in and you're accessing something from a mobile device. Telling users the last time they were on is a huge thing, so then they would know they were breached. "Welcome back, Bill. You were last on this morning at 10." Well, this morning at 10 I was on an airplane, so I know it wasn't me. Then, who should I call to say someone may have tried to break in or did break in using my login? It wasn't me; it was an IP address we did not know. That's what that e-mail would say - someone logged into my account on a mobile device that had never been authorized before.
Addressing Business Associates
MCGEE: Any final advice on how healthcare providers and business associates can improve their mobile device security to prevent data breaches?
MIAOULIS: One thing I would really stress here is that the healthcare providers really work with their business associates. ... Make sure that the covered entity is saying, "Business associate, I'm sharing my data. Where do you plan to store it? How do you plan to secure it? Before I trust you with my patients' information, there's a risk to me because if someone gets it off ... your laptop, I'm the one that has to report it to HHS. I'm the one that has to report it to the local media. I'm the one that has to report it to the individual. I'm the one that takes a huge hit because people say, 'they're not protecting my data.' My hospital is the one. Tell me, business associate, why should I trust you with my data?"
Based on the size of the business associate, you may look for different levels of security, but you may want to say, "Business associate, you're not allowed to put my data on thumb drives. You're not allowed to put my data on laptops. You need to make sure you can give me some confidence." Based upon how you want to do that, make sure you're having that conversation. The more [that's] in writing, the better.