ePHI Mobile Security Best Practices

BrandonBarneyResearch Finds PHI Can Be Compromised in One Minute

Brandon Barney, CISSP
Security Support Manager, SecurityMetrics
Follow him on Twitter @Brand_Barney

Hundreds of thousands of physicians use mobile devices to access, edit, or store sensitive protected health information (PHI). The problem is, mobile devices are far from secure, leaving PHI at serious risk. Because mobile developers allow security to take a backseat in the development process, healthcare organizations need to step-up and assume their devices need extra protection or configuration.

Since the very first handheld mobile phone, mobile devices have been about increasing user convenience but rarely about increasing security. Now that mobile devices organize the most important details of our business lives on a wireless data network, security is high on the wish list, but near impossible to achieve with today’s ‘make-it-fast-and-easy’ mindset.

Because mobile devices are almost always connected to the Internet, they have the potential to be riddled with many adapting and highly technical vulnerabilities designed to steal your sensitive data. For example, Android app markets are highly unregulated. Through such markets, criminals can easily install malicious new apps or repackage old apps with malware to steal data accessed on a mobile device. iOS users aren’t exempt either. Recent research found that iPhones and iPads could be compromised within one minute of plugging in to a malicious USB charger.

No matter the type of technology a healthcare provider is using, under HIPAA regulation organizations are obligated to protect PHI on that piece of technology. Unfortunately, only 15% of healthcare organizations believe HIPAA laws specify the protection of regulated data on mobile devices. (Ponemon Institute, 2013)

If a smartphone or tablet is used to access, transmit, receive, or store information – it must have certain security precautions in place. Here are eight best practices for securing a mobile device in order to protect PHI.

  1. Use discretion when downloading apps. Malicious software infects mobile devices by acting as a Trojan horse inside an app. Even apps that look legitimate may be infected.
  2. Implement employee usage policies and training. Policies and regular trainings help ignorant employees follow the security precautions you have in place.
  3. Accept all OS and app updates immediately. Just like computers, mobile devices must be patched often to eliminate software or hardware vulnerabilities found after initial release.
  4. Be wary of public Wi-Fi hotspots. Internet traffic can easily be intercepted on unencrypted public Wi-Fi. If you’re away from a secured network use your provider’s 3G or 4G data connection, as most providers encrypt cell traffic.
  5. Log off sites. Closing a mobile browser does not log you off a website. If your device is stolen, a thief can login to your accounts and access the data.
  6. Never save usernames or passwords in your mobile browser. Saved information allows quick hacker access to sensitive information on financial or personal sites.
  7. Download a mobile vulnerability scanner for your mobile device. A mobile vulnerability scanner, such as SecurityMetrics MobileScan, can check a device for security holes that may grant access to hackers.
  8. Ensure your business associates (BA) are also secure. Does your HIPAA BA agreement regulate the mobile data accessible on their mobile devices? Does it specify the importance of mobile security and state consequences for unprotected data?

Healthcare entities using mobile devices should be on high alert. As more and more physicians use these devices to access PHI, hackers will continue to adapt their strategies to gain the most sensitive and profitable patient information.

Brandon Barney is Security Support Manager at SecurityMetrics, an industry leader in compliance and data security that provides the technology needed to comply with HIPAA requirements and protect mobile devices. Follow them on Twitter @SecurityMetrics.

Visit SecurityMetrics at the 85th AHIMA Convention in Atlanta, Oct. 26-30.
Exhibit Booth #537.