As threat risks continue to grow for mobile devices in healthcare — think thumb drives, smartphones, tablets and laptops — the pressure to mitigate these risks is being put on the providers. The folks at ID Experts believe now is the time to assess your mobile strategy and take charge of PHI.
Here are 13 tips for fighting mobile device threats, as compiled by ID Experts and others.
1. Consider USB locks. These can be for your computer, laptop or any other device that may contain PHI or sensitive information, said Christina Thielst, vice president at Tower Consulting Group. A USB lock can help prevent unauthorized data transfer — whether uploads or downloads — through USB ports and thumb drives. "The device easily plugs ports for a low-cost solution and offers an additional layer of security when encryption or other software is installed," she said. "The locks can be removed for authorized USB port use."
2. Try geolocation tracking software or services. Rick Kam, president and cofounder of ID Experts, said this software is a low-cost insurance policy against loss or theft that can immediately track, locate or wipe the device of all data on it. "The majority of healthcare organizations currently lack sufficient resources to prevent or detect unauthorized patient data access, loss, or theft," he said. "And lost or stolen computing or data services are the number on reason for healthcare data breach incidents."
[See also: Mobile health monitoring market on the rise.]
3. Brick the device if it becomes lost or stolen. "In the last year, we have seen greater acceptability among employees of 'remote wipe' processes that 'brick' the entire device when it's lost or stolen, rather than just wiping the encrypted silo of corporate information, for example," said Jon Neiditz, partner at Nelson Mullins Riley & Scarborough LLP. The reason, he continued, that bricking the device is more acceptable is because personal data is now more frequently backed up in cloud storage, "so the bricking of the entire device doesn't result in data loss," he said.
4. Encrypt, encrypt, encrypt. All mobile devices, including often overlooked hardware, such as USB drives, should be encrypted if they are going to be used remotely, said Chris Apgar, president and CEO at Apgar and Associates. "The cost of encryption is modest and is sound insurance against what has been demonstrated to be a significant risk to healthcare organizations," he said. "Most breaches do not occur because of cybercrime – they are associated with people."
5. Forget about 'sleep mode.' According to Winston Krone, managing director at Kivu Consulting, most of the leading encryption products that organizations are "routinely installing" are configured so that once the password is entered, the laptop is unencrypted and therefore, unprotected, until it's booted down. "Simply putting the laptop into 'sleep' mode doesn't cause the encryption protection to kick back in," he said. "A laptop that is stolen while is 'sleep' mode is therefore completely unprotected."
6. Recognize that employees will use personal devices. This is true even if it's contrary to policy, said Adam Greene, partner at Davis Wright Tremaine LLP. "Healthcare organizations should consider documenting this risk in their risk assessments, identifying the safeguards in place to limit the inappropriate use of personal devices," he said. To further reduce this risk, he continued, consider the root cause of the problem. "What benefits are personal devices offering to employees that the organization's systems are lacking?"
Continued on the next page.