BYOD: Essential Security StepsStaff Education, Mobile Device Mgt. System, Called Essential
Staff education and a mobile device management system are both critical to minimizing the risks involved in allowing staff at healthcare organizations to use personally owned devices to access patient information, says security consultant Tom Walsh.
"With the bring-your-own-device trend, I think one of the most important things is to educate the user on the risk," Walsh says in an interview with HealthcareInfoSecurity (transcript below). "You really need to take the time to explain why security controls are being implemented and how the controls can actually protect the organization as well as the individual user."
Unless users understand why security controls are essential for personally owned devices, Walsh says, "they'll just see these controls as being a barrier and they are going to find some other convenient work-around."
Walsh also stresses that all midsize and large healthcare organizations should implement a mobile device management system.
MDM systems help organizations enforce their mobile device security policies, he says. And that's particularly important in light of the movement toward allowing clinicians to use personally owned devices to access patient data.
"The only way you're going to enforce encryption on a personally owned device is to implement some type of mobile device management system," Walsh says.
MDM systems also offer detailed audit logs "which can be extremely useful if you do have a breach," he adds.
In the interview, Walsh also:
- Outlines the essential elements of a mobile device policy;
- Describes an approach for minimizing patient data stored on mobile devices;
- Emphasizes the importance of educating staff about the risks involved in sharing patient information via e-mail or text messaging.
Walsh, CISSP, is president of Tom Walsh Consulting, an Overland Park, Kan.-based firm that advises healthcare organizations on information security in healthcare. He also serves as information security officer at San Antonio Community Hospital on an outsourced basis.
The Challenge of Mobility
HOWARD ANDERSON: Tom is mobile security becoming a critical concern for more of your consulting clients? What are you hearing?
TOM WALSH: Oh yes, absolutely. This is a real challenge for most organizations because ... so many different types of mobile devices are being introduced into the market place all the time, and also you have new mobile apps that are being released as well. Unfortunately, I think many of the vendors of these mobile apps ... are working going to straight to the physicians or the clinicians and they are getting them sold on it. They buy these apps and then security really gets involved at the latter stages right before go-live. Then all of a sudden, you're trying to get the thing secured. ... So more and more, we see more devices, more apps, more use and more demand.
Use of Encryption
ANDERSON: We've seen dozens of major breaches involving the loss or theft of encrypted devices in the headlines, so why does this continue to be a problem? Why isn't the use of encryption for mobile devices more commonplace in healthcare?
WALSH: You would think they would have this one figured out. Since September of 2009, when the breach notification rule went into effect, I've been tracking the reported breaches that have affected over 500 patients. What I see is about 66 percent to 68 percent of all the breaches ... are attributed to theft or loss. What is being lost and stolen are laptops, tablets, smart phones, portable media - all the mobile devices that we're trying to talk about here. So you would think by now every device that has any kind of PHI [protected health information] would be encrypted, but they are not. From my own experience in working with lots of different clients, corporate-owned laptops, tablets, smart phones are usually encrypted. I don't see too many problems with that. Now portable memory devices, like USB thumb drives and external memory devices, not so much, [although] some organizations are better about encrypting those and providing users with encrypted devices.
But really, you hear the issue is that we have a lot of personally owned devices being introduced into the workplace, and really the only way you're going to enforce encryption on a personally owned device is that you have to implement some type of mobile device management system.
Now there are some pros and cons to this, and the down side to this on the user's side is that, when an organization now forces them to do encryption or take control in some way shape or form of their smart phone, they now have some partial ownership of it. So you'll always get the users now calling the help desk saying, "My phone used to work until I installed your security software, now it doesn't work." And it could or could not be related, but that is the issue that we have to deal with.
The second thing with the mobile device management systems is that in some cases, you could potentially wipe out personally stored data on the device if you were to issue some kind of a wipe or a kill command. So, for example, a user misplaces it or can't find it, and you issue the wipe command and now all their stuff is gone and they are upset with you. We're talking about things like contacts, their e-mails, their pictures, whatever else they may have stored on the phone.
So to overcome this, most of the mobile device management systems I have seen today create some kind of a partition or a sandbox to isolate corporate data from personally owned data on the device. Now the problem with that is in order to access the corporate data, you've got to enter some other form of authentication - usually a password or a PIN - and users complain about this because now it is a hassle.
Also, I found that some of these older smart phones that are still out there either have really weak encryption or have no encryption capability. So that is a real issue as to why we see so many devices without encryption.
Mobile Device Policy
ANDERSON: So what do you consider to be the most essential elements of an overall mobile device security policy?
WALSH: Well, I have been telling people for a long time [to use], at a minimum, three controls. Number one is some type of power-on password or owner authentication that could be biometrics ... or a pattern that you punch in or a personal identification number or PIN. Number two, you really need to have some kind of automatic time-out or lock-out after the device has gone idle after a certain period of inactivity ... [perhaps] 10 minutes. And then, finally, encryption.
So even though you may have implemented the first two controls I talked about, passwords and time-out, you're not going to help yourself if you don't encrypt, because if somebody gets your phone maybe they can't get into it, but there is really nothing to stop them from taking your phone apart and popping out the memory, and that is why you need to have encryption. So those are the three that I tell everybody is the bare minimum you have to have.
Mobile Device Management
ANDERSON: You already mentioned mobile device management systems. The Department of Veterans Affairs recently announced a major investment in an MDM system. Should most healthcare organizations above a certain size be considering an investment in such a system? And what role can a mobile device management system play in preventing breaches involving mobile devices?
WALSH: In my opinion, any medium- to large-size healthcare organization really needs to consider implementing some type of mobile device management system. What I've seen, though, is that some organizations, especially those that are using Microsoft Exchange for their e-mail, are using ActiveSync as their mobile device management system. It does have some ability to enforce controls, but it's not a true mobile device management system. So what you are trying to do is enforce policies through some kind of technical controls and hopefully the goal here is to prevent some breach from occurring.
Where you have an advantage with a mobile device management system over something as simple as ActiveSync, is first of all, the encryption that ActiveSync enforces doesn't meet the FIPS 140-2 standard. And the second advantage is that a lot of the mobile device management systems provide detailed audit logs. That can be extremely valuable if you ever do have a breach. For example, there have been several breaches that were reported where the covered entity took almost the entire 60 days, the maximum allowed by the rule, to report it. Why? Well because a lot of them they had no clue what was on the device that was lost or stolen.
One of my favorite stories is a physician that had a briefcase stolen, and when the investigation was going on the question was asked, well what all did you have in there? One of the things he said was "a bunch of USB drives." And they asked, "Well what is a bunch?" And the physician said, "I don't know, five, maybe seven. [And he was asked] what was on those USB devices. And he had no idea. No clue. ... So we had to go in and try to figure out what information was stored on each one of the USB devices. And that takes a lot of time.
So even if you have a device that was reported loss or stolen, how do you know with absolute certainty what data was in there? So really, I think it has become the prudent thing to do is to implement these things [MDM systems] so you have some control. I think the legal term they call it is the "prevailing practice" which means, as more and more organizations implement a mobile device management system, if you organization isn't doing it, it could be viewed as being either careless or irresponsible. ...
ANDERSON: Other than mobile device management systems, what do you think are the most essential security steps to take in light of the BYOD trend?
WALSH: Well with the bring-your-own-device trend, I think one of the most important things is to educate the user on the risk. You really need to take the time to explain why these security controls are being implemented and how the controls can actually protect the organization as well as the individual user. Without a clear understanding of this for many users, they'll just see these controls as being a barrier and they are going to find some other convenient work-around.
One of the things that caught my attention recently was in May of this year, the United States Courts of Appeals for the 9th Circuit held that an individual may be criminally convicted for knowingly obtaining health information in violation of HIPAA even if the individual did not know that the access was illegal. So this is really serious stuff. ... Users need to know what the risks are. ...
ANDERSON: What can organizations do to help minimize the amount the patient information stored on these mobile devices to help minimize the risks?
WALSH: So one of the things that organizations are doing today to stop that storage is allowing access [to patient data] through what I would refer to as virtualization technology. Now, what I'm saying here is that they can get the access through either some kind of portal or some other tool, such as Citrix, so they can see the information and have access to it, maybe even manipulate it, but it never gets stored on their local device. The data is always going to reside on a server back in the data center. ... So that is what I'm seeing organizations doing. We can allow access to data for the appropriate people when they need it. They can get the access using just about any kind of device anywhere, but ... it doesn't get stored on their local device. It is always behind the protection of the data center. So I see that is where we're going with this.
Now ... I mentioned that most of the clients that I've seen are using Citrix to accomplish this, and that is an older technology and it works fine in some applications. The trouble that we have is that it's kind of ... clumsy. The Citrix solution wasn't designed for mobile devices, in particular smart phones. Then you also have these applications like an electronic health record [that] were designed to run on larger monitor screens. So how good does this look on a smart phone? Not so good. So we've got a ways to go there, but that is one of the goals I see - virtualization.
E-mail and Texting Issues
ANDERSON: Finally, mobile devices are widely used for e-mail access and texting. What policies should healthcare organizations have in place to make sure patient information isn't exposed in these e-mails or text messages? Is that a tough challenge?
WALSH: This is a really tough challenge because ... we talk about synchronization - getting your e-mail through synching up - and we can control that through a mobile device management system. Let's set all of that aside for a moment. Most organizations allow web access to their e-mail, which means that as long as you have a device - it could be a home computer; it could be a personally owned laptop, smart phone, anything - as long as you can get access to the Internet, you can get access to your e-mail. Most organizations allow people to send protected health information through an internal e-mail because it is secure. ... But how many organizations are allowing the web access, and how secure is that?
So I'm sending you an e-mail and let's say it has an attachment with some PHI in it. I'm thinking you are in your office securely working on your computer. In reality, you could be on any computer, any laptop, tablet or smart phone checking ... corporate e-mail in a web browser and then you are storing that data. So that is the real challenge there.
Text messaging is something else that we have to deal with. We've got physicians who tell nurses, "send me a text." Well how are we making healthcare decisions based on a text message? How do we trust the person who sends the message is truly the owner of the phone? As we talked about it, if they are not using any of these security controls, anyone who has access to the phone could have access to the text messages. So beyond just the mobile device management, we have other areas, like texting and e-mail, where people can get this information stored on their devices.
ANDERSON: So does that mean secure e-mail of some sort is essential, and what about a text message policy? Should you just say, don't talk about patients via text?
WALSH: Well as you know, telling people they can't do something in a policy only goes so far unless you can enforce it. I know several organizations who tried to tell physicians and surgeons for example, don't put PHI in your calendar. Well a lot of surgeons put their surgery schedule in a calendar system. Even though you tell them don't do it, unless you come up with a better solution for them, they'll probably continue to do it. So yes, you should put it in your policy, but you've got to find some other way to enforce it. And I think again it goes back to user education.
It takes a lot of the time, but if we teach people the right thing and they understand what the risks are, I think we will be better off. ... Focus on ... people, process and technology in that order. Unfortunately, what I find a lot of times is security people ... guide the technology and then that drives their process and then they force it on the people, and that is never a good way to go about it. So start with the users and find out why they are sharing this data, what can we do to get the message across to them, and find a better way to use these devices more securely.