Manage Mobility: How to Keep Data Secure as Mobile Devices Proliferate

Nearly every person uses a mobile device of some sort. Between laptops, tablets and smartphones, healthcare organizations trying to ensure that data of all sorts is used securely — from protected health information to patients' financial information — can run into challenges. Fortunately, a handful of best practices and some thoughtful planning will help to mitigate much of the risk.

 

Before launching any type of mobile device initiative, a thorough assessment should be conducted to determine the enterprise's existing network security protocols. The organization then needs to develop a detailed, deliberate and disciplined strategy and approach from planning through implementation to daily management of a mobile program. In addition, the scope of connected devices the team will likely need to support must be considered. Many of the steps that come later will be built on the foundation of the information learned — and the potential pitfalls spotted — during the assessment. Trying to answer baseline questions after a mobile device implementation already is underway may result not only in security issues that go undetected or unaddressed, enterprises could also find that resolving concerns later in the project is far more expensive than putting the right solution in place initially.  

The foundation of a secure mobile device program is the selection and use of a suitable mobile device management product that provides for centralized management of authorized mobile devices and systemically enforces security policies, capabilities and access requirements on the devices and networks. Without an adequate MDM, an organization's data security and IT systems can be at significant risk.

Some simple measures can also reduce the potential for data privacy breaches. Measures as simple as requiring that all connected devices be password-protected can be tremendously effective. Recent data shows that 64 percent of adults don't bother using any sort of screen lock on their smartphones, but the good news is that enterprises can require every device connected to the network to have a suitable password. It's a tool that healthcare organizations should absolutely take advantage of. Multi-factor authentication should be deployed to control access into high-risk areas of the network, but if a device is stolen or even just misplaced, a strong alphanumeric password can provide much-needed protection. Today, most mobile devices already come loaded with a suite of useful security tools that can be easily enabled. These include capabilities to encrypt the data on the device and locate or remotely wipe content if the device is lost or stolen. The use of encryption for sensitive data stored on mobile devices is extremely important — it is often the difference between a major "data breach" or simply a lost or stolen device with no other intrinsic value.

Network connectivity is another area to consider, and one that can be surprisingly difficult to control without a robust management plan and strict security practices. Users, typically in an innocent effort to improve the Wi-Fi signal near their workstation or to allow a long-time contractor the ability to login via a non-corporate device, have been known to install wireless access points without IT's knowledge or blessing. A quick walk-through of the space may yield some useful insight into how widespread this practice is within a facility, and solutions that detect wireless signals can be leveraged if a deeper dive is needed.

Applications are the backbone of productivity, and every mobile device that connects to the network is running scores of them. Between the various online stores and other sources, there's a good chance that some devices are playing host to less-than-secure applications. Device management suites are available to control where users are able to download applications, and which applications are and are not allowed. Enterprises can also use these software platforms to manage the deployment of antivirus software, security updates, and patches to all mobile devices, so that every user has the latest protection tools. Devices that connect to the network also should be regularly scanned prior to allowing access to the network to ensure they're free of malware or other potentially harmful applications.

Once a device is authorized to access the network, enterprises must control that device's upload and download of information. At this point, the range of devices under consideration expands quite a bit. No longer should IT administrators focus only on those devices that access data remotely. Instead, it's important to remember the other, more mundane devices on the network. Things such as flash drives and media storage devices — MP3 players, etc. — can wreak havoc with protected data if they're allowed to upload, download or store data without proper authorization. Consider the number of instances where PHI has been compromised because a laptop was stolen from an employee's car, or a thumb drive has gone missing. By limiting the ability to transfer data into and out of the network via mobile devices, healthcare organizations will have far greater control over the safety and security of the sensitive information they manage.

Data often lives on a device for some period of time, and organizations should establish protocols to ensure that outdated information or data that is no longer in use is deleted. Most people don't worry about clearing their device's memory until they don't have much memory left. When that time comes, the amount of data residing on the device is often too large to go through quickly. The result is that users delete just enough data to free up a little bit of memory, leaving much of the old data on the device. Then the cycle repeats. To protect information from exposure, it's crucial that healthcare companies establish procedures for deleting outdated or unnecessary data (and developing a process to ensure those procedures are followed).

No matter how an organization controls its devices' data access and storage processes, it's important to systematically enforce backups of every device connected to the network. If a device is lost or stolen, administrators can then definitively determine what information was on the device and either ensure it's safe in another location or modify access to the master data for increased protection. This step also provides substantial investigative and recovery information in the event of a breach.

Communication streams also are full of sensitive data. Fortunately, there are now applications available to encrypt documents, text messages, e-mails and nearly every other sort of communication going into or coming out of a healthcare organization. Secure messaging, a familiar concept to the majority of care providers, is just the tip of the iceberg when it comes to ensuring that information is accessed only by authorized individuals. And no matter where messages originate — a provider's office, a local coffee shop, a physicians' seminar, an airplane — administrators should have strong security controls over all types of messaging.

Organizations may choose to mitigate their data breach risk by granting access only to those devices that are corporate owned. This may allow an enterprise to bypass many of the concerns related to the mingling of personal and corporate data and the deployment of business-centric applications and security policies. Another solution is the increased use of thin clients to access sensitive data. In this scenario, users login to a secure web portal to review and append patient records or other information. This solution, properly implemented, eliminates much of the risk associated with storing PHI or other corporate assets because data never resides directly on the individual device.

To get the best results from any data security program, employees need to understand what is expected of them, they must be trained on using security measures properly, policies must be effective and enforceable, the necessary technology tools must be in place and appropriately administered, and enterprises should regularly audit their operations for compliance. Policies alone do not guarantee that PHI and other information assets are properly protected. The actions of each network user often will be the determining factor in whether sensitive data is safe.

In addition to crafting a robust data protection program, prudent enterprises also will develop a security incident plan that addresses the process to be followed if a data breach occurs. This plan outlines what the organization must do, what resources they'll need to do it and who is responsible for each task. The security incident plan should be created collaboratively, with representatives from IT, HR, general counsel, and the clinical or care provider side, joined by any other group likely to be part of proactive training or post-breach response activities. Including some common scenarios — a lost or stolen device, deliberate data theft by an internal employee, an external hacking event — is often helpful. And while organizations can't contemplate every eventuality, this exercise is valuable in helping teams gain a general understanding of where the data privacy risks are and how to mitigate them.

Brian McGinley is CEO of IDT911 Consulting.


More Coverage on Health Data Security:

New HIPAA Rules, Enhanced Enforcement Put Onus on Healthcare Providers to Tighten Security
68% of Healthcare Providers Currently Use iPhones Professionally

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.

 

Featured Whitepapers

Featured Webinars