In many ways, conducting a risk assessment for mobile devices is similar to other IT risk assessments. But there are notable differences, says consultant Jeff Brandt.
The growth in the use of mobile devices, such as smart phones and tablets, within healthcare organizations, as well as the bring-your-own-device trend, introduce unforeseen threats that IT security practitioners must address. Conducting a risk assessment for mobile devices can assist in identifying those risks, says Brandt, who wrote a chapter on data security in the new book, "mHealth: From Smart Phones to Smart Systems," published by the Healthcare Information and Management Systems Society.
"If you have someone on your staff who understands mobile security, that's great," Brandt says in an interview with Information Security Media Group's Howard Anderson (transcript below). "If you don't, you should get one."
In an interview, Brandt also:
- Describes the role mobile device management systems and remote data wiping applications can play in improving security;
- Emphasizes the importance of requiring user names and passwords at the application level, and not just the device level;
- Advises healthcare organizations to avoid getting locked into using one mobile device operating system. "The new cool thing today may be out of date tomorrow," he notes.
Brandt is one of the founders and chief architect at Communications Software Inc., which provides mobile health cloud solutions, medical application architecture and development and mHealth consulting. He formerly was senior software engineer at CyberCash (now Verisign), an Internet credit card and payment processing company.
Mobile: Patient Privacy Risks
HOWARD ANDERSON: For starters, what do you see as the biggest risk to patient privacy posed by the use of mobile devices in healthcare?
JEFFREY BRANDT: The biggest risk of mobile devices is the compromise of our PHI, which is our protected health information. This is what I believe. We need to think more about the ROI of the PHI theft, someone who's going to take our health information. What's the real reason for stealing PHI? Organized drug seeking and medical coverage for treatment are two of the real reasons why people take health information. A drug seeker can hit a lot of hospitals in a region in a very short amount of time without even being detected, and then they can take the drugs that they've obtained and resell them on the street. The other thing is coverage. There are a lot of people out there that just don't have coverage, so if they take your identity and go to a hospital they can get coverage.
I would like to clarify the definition of mobile health devices for the audience. Basically it's any device that's portable and can be used to store, manipulate or transmit PHI, such as smart phones, thumb drives, tablets, laptops and even devices like defibrillators. Many patients and doctors are concerned about transmitting health data over the Internet. This is something that's done every day in other industries and one of the closest to it is the financial industry, and it's very safe if it's done correctly. The majority of our data breaches that happen in the U.S. and around the world are not perpetrated by some 16-year-old hacking in a third world country. It's facilitated by careless employees and an organization with poor mobile device management.
Mobile Device Risk Assessment
ANDERSON: How is a risk assessment for mobile devices different, if at all, than other types of IT risk assessments?
BRANDT: Well in many ways it's the same, but let's go over some of the areas of risk assessment to see where we see the differences. First, the environment of the mobile device itself, is it a contained environment? Is it inside a building? Is it secure? Is it a secure building? Are people going to take the devices home and carry them in their cars? Being mobile is the biggest difference in the type of assessments you're doing. You have a lot of different phones, a lot of different devices. One of the most secure systems that an organization can have is when they own, control and distribute the devices that the users are going to use.
There's a new trend in our industry that's called BYOD, bring-your-own-device. That's where a user provides his or her device and it connects to the infrastructure of the organization. This does add a lot of risk and management and complexity, but it can be done and it can be done safely. Being mobile itself is the difference ... today, one of the real risks is you can remove hundreds of thousands of records on a very small device like a thumb drive or a cell phone by plugging it into the system.
Next, we've got to know about the risk. We've got to understand the risk as I talked about earlier, and what's your mobile system or your mobile devices used for in your organization? Do you view PHI? Are you storing PHI or are you transmitting PHI? That's part of the assessment that you need to do to think about how to protect. There are also a lot of companies out there building systems to manage the security of mobile devices, and we won't talk about them today but they're available and you can check those out by looking on the web.
Also, you should know the local and the federal laws on data protection. These are changing very quickly, so this is something that your organization needs to keep up with. The policies, procedures and enforcement [completed] in your organization make the difference with mobile devices. You have to have a use policy in place and employees need to know about it, and so I would suggest anybody to make sure that you have regular meetings and make sure your employees know about these procedures and policies. You can have audits and some of these audits, are actually done by management software; some are done through paper and procedures. Then there are tactics to protect your devices, your data and your users' or patients' data. There are systems that you can buy inexpensively that will locate and lock a device down in the field and also wipe all the data off of the device so in case the devices are compromised, you can remove the data.
The other thing that I suggest that's very important is asset tracking. Make sure that you have a reconciliation process and procedure in place so you can keep up with the devices.
Storing Info on Devices
ANDERSON: Should healthcare organizations strive to minimize the amount of information stored on smart phones, tablets and other mobile devices to help minimize the risk? And if data is stored on the devices, should it always be encrypted?
BRANDT: It depends again on your situation. Storing PHI on these devices is really not an issue if it's done correctly. There's the issue. This is where the risk assessment and policies go hand-in-hand. You have to have somebody that's actually able to make this assessment - that the vendor that you're dealing with has provided what they said they're providing.
I always suggest strong encryption of PHI on mobile devices. The reason that most apps that are available today on the smart phone market don't have encryption is because of the complexity of the software to program and support - and quite frankly many of the developers that are doing apps don't have the skills to provide this type of security.
There's one more important reason why app developers are not employing security and that's the perception of ease-of-use for the consumer or the customer. There are many talking heads in the health industry, and in the app industry, who are demanding today that apps be easy and very fast. Passwords and user IDs add complexity for the user, and it takes more of the user's time to use the device to have to log in each time. There are patients and doctors who become impatient with security. ... There's just more and more complexity to everything we do. ... What we don't want to do is become complacent, because when we drop our guard and don't want to have the password, that's when the breaches occur.
ANDERSON: Is user name and password an adequate method of authenticating users of mobile devices, or should other methods be used?
BRANDT: Again, it will depend on the level of authentication that you deem as necessary for the application. It also depends on the devices. All smart phones have an initial password and user ID just to access the phone, and this goes the same for iPads and tablets. This doesn't provide very much data protection; as a matter of fact, it doesn't provide any at all. It's easy to bypass these top-level systems. App-level or software-level user name and passwords provide minimum protection for apps containing PHI, and I would suggest these in any app, so that when you get out of that app and then get back - even if you moved to answer a call - you should have to enter the password again because if you leave your phone in a call then your phone is open and your data is open.
The combination of protection is the best I would say. For instance, utilizing credentials to access PHI over a secure virtual private network is a good way to attack the problem. There are also many alternatives and many on the way - biometrics is one.
BYOD: Minimizing Risk
ANDERSON: As you mentioned, more organizations are beginning to accommodate the use of personally-owned mobile devices for business purposes or BYOD. What are some of the key steps involved in minimizing the risks involved in permitting the use of personally-owned devices?
BRANDT: As we all know, besides the risk, it brings a lot of benefit. BYOD brings a lot of benefits to organizations and their users. It costs organizations less and the user knows their device and I believe there's a big debate about the different types of devices - which is better. People should be able to pick their own device and then the software should be able to run on it. As I did mention, it does add complexity, and the facility must take care of this and assess risk. Policies and procedures, that's a huge barrier to problems with the BYOD. People do have users who decide to bring their own device and sign formal agreements that they're going to be responsible for the device. I would suggest ... requiring the data wiping capability be on the user phone as we talked about earlier, and consider installing remote management on the BYOD device.
The only problem about doing this is it tends to cut down on the amount of users that want to use their own devices, because the management is asking to download something onto their own device and there are some privacy issues there that haven't been all worked out by legal. Then training [is important, as well as] reminders of the policies that are in effect, and that may be something that's electronic that comes up when they log in that reminds them that this is a secured device. Then, probably the last thing is enforcement. We have to enforce our policies, because if we don't, then they'll be of no use.
Advice for Organizations
ANDERSON: Finally, what other security advice do you have for healthcare organizations that are expanding their use of mobile devices?
BRANDT: Mobile device technology is changing very quickly ... and it's affecting a lot of things in our lives, and a lot to the positive. One thing I would suggest is, don't get locked into a particular operating system, company or solution. Yes, the new cool thing today may be out-of-date tomorrow, so keep that in mind that you can work with multiple systems. ... HTML5 is coming on the market that will allow developers to develop for multiple client devices like smart phones, and then, with one single code base, distribute it to all their different devices. This makes management of devices much easier. Look for solutions that you can grow with.
Next thing is do your homework. That's probably one of the most important things because things are changing so fast. If you do have someone on your staff that understands mobile security, that's great. If you don't, you should get one.
Last thing, most breaches come from within. The majority of the breaches that are happening today are what I like to call "sneaker theft." The data just walks out the door. People don't lock up their thumb drives. They don't lock up their computers. They set their phones down on bars and they disappear. User policies and procedures are your best first line of defense.