'Ethical hacker' calls BYOD a nightmare
Do you really want a 'personal device on a private network talking to 75 advertisers?'BOSTON | September 27, 2013From the November 2013 print issue
With bring your own device policies at healthcare organizations seeing an upward trend across the country, many say there's good reason to be apprehensive – resistant even – to the BYOD movement.
Kevin Johnson is one of those people. A self-described "ethical hacker," Johnson is the chief executive officer of network security consulting firm Secure Ideas. He spoke this week on BYOD security at the HIMSS Media/Healthcare IT News Privacy and Security Forum in Boston.
If he could have it his way, BYOD would go to the wayside, first because having protected health information on a device people regularly lose is just not sensible, and second, all the "sketchy" applications people download on their devices render the data even more unsecure.
"The security of these devices have been made even worse because of the applications we run on them," Johnson said. "The applications bring in the need for even more data."
[See also: 5 ways to succeed at BYOD.]
BYOD, he opined, is a slippery slope. Most people think about BYOD as a cost savings, he pointed out. "They start thinking about BYOD to make the users happy because they can use that gold iPhone 5."
Added Johnson, "We start having exceptions (like) you can't use your personal device except for Bill because he whined loud enough," and then it keeps moving forward with more and more exceptions. Very few people, however, actually understand the huge security implications. Very few healthcare providers consider the fact that they may have all their personal data wiped clean from the device if, say, a security or privacy breach were to occur.
"I do believe BYOD involved lots of drug use by your auditors and lawyers for them to accept it," Johnson said to a laughing audience. "There's just so many liabilities here."
Part of Johnson's job is to hack into company systems, find their security vulnerabilities and report back. And most often, he said, it proves far too easy of a task.
He pointed out a patient care record application he analyzed on his own time. The app allows a user to store all of his or her medical data in the app, but the app itself doesn't actually encrypt the data. When Johnson subsequently wrote to the developer and said, "Hey, you're not using encryption, and you have pretty sensitive information," the developer replied by saying that's up to the doctor or nurse to handle. "I'm not HIPPA-covered," he said. Johnson particularly noticed the incorrect way HIPAA was spelled, one of his biggest pet peeves.
[See also: VA moves to protect BYOD devices.]
Let's take another app example, he said, for instance a note-taking application for a nurse. "Where does it store the data? Did it block the permissions down to the data so another app on that phone can't read it?" The Flashlight app, for instance – what Johnson described as one of the most useless, and harmful in terms of the data it takes from your phone – is one app that takes virtually all the device's data.
And those charging stations set up in airports nationwide? Don't even think about, Johnson said. They do the same thing.
So, for the most part, it's common knowledge that the applications on personal mobile devices can render patients' health data vulnerable, but what are the policy implications? "Do you want Plants vs. Zombies on your network? I wouldn't," Johnson said. But can you really enforce a company policy prohibiting these apps? Probably not, he added.
BYOD, for Johnson, is essentially allowing a "personal device on a private network talking to 75 advertisers."
If healthcare organizations insist on adopting BYOD policies, which he strongly advises against, then they have to monitor the software, intercept the transmitted data and only allow the most secure mobile devices on the network?
What's considered the most secure mobile device? Johnson said, in all its irony, it's the BlackBerry.