Keeping Mobile Health Data SecureMaking the Most of Encryption, Other Precautions
Breaches involving lost or stolen unencrypted mobile devices, especially laptops, continue to grab headlines. Of the 498 major breaches tracked by federal officials since September 2009, about 54 percent have involved lost or stolen unencrypted computers or storage media (see: Stolen Devices a Persistent Problem.)
See Also: HIPAA Audits: A Revised Game Plan
Given all the publicity about these breaches - and the fact that the loss or theft of an encrypted device doesn't have to be reported as a breach - why isn't the encryption of mobile devices more widespread?
For starters, identifying and wrangling all corporate and personally owned mobile devices used in a healthcare setting that are candidates for encryption isn't simple.
And then there's the challenge of addressing misperceptions about encryption. That includes concerns about high costs (the price has come down substantially in recent years), difficult implementation (sometimes it's as easy as turning on a factory-installed setting), and adverse impact on device performance (which some experts say is no longer a major issue).
"I've found that there is much misinformation and misunderstanding about encryption throughout the populations of doctors, nurses and other healthcare providers," says security consultant Rebecca Herold, who heads Rebecca Herold & Associates.
Some provider organizations, including Beth Israel Deaconess Medical Center in Boston, have determined that to energize efforts to encrypt mobile devices, they must launch a high-profile campaign. And a growing number of providers, including Henry Ford Health System and the Department of Veterans Affairs, are turning to mobile device management systems to help prevent breaches involving mobile devices.
In addition, minimizing the data that gets stored on mobile devices also can help prevent breaches.
When it comes to new devices that come equipped with encryption capabilities, making sure those settings are turned on before allowing network access should be made a matter of policy, Herold says.
"Current encryption solutions exist for mobile computers, such as laptops, and for storage devices, like USB drives, that are transparent to the user, don't noticeably impact response time and are very easy to use, in addition to being comparatively inexpensive," Herold says.
Encryption costs are small when compared with the cost of a breach, which "could ultimately cost an organization over $1 million" just for federal penalties for HIPAA non-compliance, she notes.
Putting encryption into practice soon will become easier, thanks to a rule for Stage 2 of the HITECH Act electronic health record incentive program, says Mac McMillan, CEO of CynergisTek, a data security and privacy services firm. The software certification rule requires that EHR software be designed to encrypt, by default, electronic health information stored on end-user devices.
"This forces encryption; you'd have to consciously turn it off," McMillan says.
A High-Profile Effort
For many healthcare organizations, especially larger ones, identifying devices that lack encryption and then making sure they're actually encrypted is proving to be a tall order. To help with the effort, Beth Israel Deaconess Medical Center is taking extraordinary steps to call attention to its encryption effort.
After an unencrypted laptop was stolen this spring from a physician office at Beth Israel Deaconess Medical Center in Boston, the organization put into place a mandatory encryption program for institutionally owned and personally owned mobile devices (see: Laptop Theft Spurs Encryption Ramp Up). In recent months, the medical center has set up several encryption depots on its Boston campus so that employees can bring their mobile devices in to ensure the gear is encrypted and up-to-date with anti-viral software and patches.
The medical center expects to complete encryption of all institution-owned mobile devices used to access patient information by the middle of this month, says John Halamka, CIO.
"In the next few weeks, we will be sending out a list of institutionally owned devices that have been encrypted to each manager and asking the manager to attest these are the only institutionally owned mobile devices in use within their area of responsibility," he says.
For personally owned mobile devices being used for medical center business, Beth Israel Deaconess will provide advice and assistance on initial encryption, Halamka says. "For the most part, the encryption solution of choice will be whatever is native to the device's operation system, for example Filevault or Bitlocker. If nothing native is available, we'll suggest Truecrypt, an open source product," he says. "We will require attestation of mobile device encryption when passwords are renewed."
Mobile Device Management
Besides encryption, some organizations are also turning to mobile device management systems to help prevent breaches involving portable devices.
For the last year, Henry Ford Health System, which operates five hospitals, a medical group and health plan in Michigan, has been using a mobile device management system from AirWatch. The MDM requires all mobile devices that access the organization's e-mail systems to have a screen lock with password protection that is triggered after a few minutes of inactivity, says Michael Starosciak, manager of client technical services.
Also, if a mobile device is lost, it's "unenrolled" from AirWatch, preventing further access to the organization's e-mail system and automatically erasing e-mail data from the device, Starosciak explains.
In addition, the health system requires employees to report a lost device immediately, so carrier service to the device can be stopped. The MDM system then remotely wipes all sensitive data from the device. If a personal device, such as a smart phone used on the job, is lost, the same policy holds.
For mobile devices that are shared among users, such as clinicians on different shifts, users can unenroll from AirWatch after their shift ends so that data is erased from the device before it's used by someone else.
Among the other organizations that are turning to mobile device management systems is the Department of Veterans Affairs. The VA this month awarded a $4.4 million contract to FirstView Federal Technology Solutions LLC, for an MDM system that will eventually support 100,000 VA-owned and personal devices (see: Details on VA's Mobile Device Mgt. Plan).
Beyond adopting encryption and implementation of an MDM system, other steps organizations can take to help prevent breaches involving laptops and other mobile devices, Herold says, are:
- Storing as little protected health information on mobile computers as possible;
- Having well-written policies and supporting procedures for keeping mobile data secure;
- Using GPS or some other type of tracking mechanism to help locate a device if it's lost or stolen;
- Installing remote wiping software;
- Conducting regular security training and ongoing awareness communications;
- Performing spot audits of laptops to make sure they are up-to-date with software patches and anti-viral software;
- Updating a complete inventory of all laptops and other mobile devices.