Now that you’ve had some time to weigh the pros and cons of adopting BYOD, it is time to start working up an adoption plan. For any workplace, this requires researching and investing in certain mobile security tools. It also means addressing a number of key infrastructure and staff issues. Those in the healthcare industry must consider issues such as maintaining devices and network security, just as any other workplace would. However, those in healthcare have additional components they must take into consideration when it comes to BYOD—HIPAA compliance and securing Protected Health Information (PHI). As already mentioned in Part 1, HIPAA violations and PHI breaches can be extremely costly.
Fear not, however. In this second installment of our “BYOD in Healthcare” blog series, we are going to take a look at what you need to do in order to create and maintain a secure, private, and (most importantly) HIPAA compliant BYOD environment in your healthcare organization or private practice.
First, let’s take a look at a brief list of the key items that need to be researched, acquired, completed, or addressed in order to adopt a HIPAA compliant BYOD environment. After that, we will look at each of the following items in further detail:
- Locking Devices
- Remote Tracking/Wiping Tools
- File Sharing
- Device Retirement
- Wi-Fi/Network Access
- Antivirus Software
- Device Encryption
- Creating a Clear BYOD Policy
I’d imagine at least some of you probably already do this every day with your smartphones, if you use a 4-digit PIN or passcode to unlock them. Locking devices that are not in use is absolutely mandatory for anyone working in a BYOD environment. Seriously… making sure all BYOD devices are set to lock when not in use has to be treated as Rule #1. As mentioned in Part 1, lost/stolen devices cause most of the security problems for BYOD environments. A lost/stolen device that has been locked with a PIN or passcode is less likely to result in a PHI breach, whereas a lost/stolen device that hasn’t been setup to lock will almost certainly result in a one-way ticket to HIPAA-Fine-Land.
Remote Tracking/Wiping Tools
While a locked device lessens the likelihood that a lost/stolen device will lead to a PHI breach, it does not eliminate it altogether. To deal with a lost/stolen device, as well as avoid having it result in HIPAA fines, you will need to have one or more of three things installed on all the devices in your BYOD environment. Any one of these tools would be a good thing to have, but having more than one would be much better. Any HIPAA consultant would likely recommend that you have all three of these tools on any and all of your office’s connected mobile devices:
Remote Device Tracking: These handy little apps use a device’s GPS function to locate it in the event of loss or theft. iPhones now come with a “Find my iPhone” function preinstalled, and there are plenty of mobile device tracking apps on the market, some of which are even free. For laptops, unfortunately, this is not usually an option (very few offer tracking functions at present). However, there are alternative ways to make sure you can still locate a lost/stolen laptop—such as a locator chip adhered on it in a discreet location. Keep in mind, however, that locator chips sometimes have rather limited ranges.
Remote Disabling: While recovering a lost or stolen device with a remote tracker is a best case scenario, tracking tools often have weaknesses or limitations that can be exploited. Skilled cybercriminals know how these functions work, and the first chance they get (it is possible to break a device’s PIN or passcode in less than 24 hours), they will power down the device or just disable the GPS or “Location Services.” This pretty much kills any chance you have of tracking the device. A remote disabling function is a secondary layer of protection, giving a user the power to disable the device before anyone can take steps to compromise the tracking tools. Once activated, a remote disable will make it possible to remotely render a lost/stolen device unusable. However, remotely disabling a device will not prevent someone from physically removing the SIM chip on which the data is stored and dumping the device (which may also thwart the tracker) and retrieving the data later on. Black market data trading is big business on the darknet, where stolen data is sold to identity thieves, which means cybercriminals are often more interested in stealing the data than the device itself. Cybercriminals can get plenty of data from just the SIM chip.
Remote Memory Wipe: A mobile device from your office or practice has been lost/stolen. The tracking isn’t working, because the device is either dead or the thieves have turned it off. In this worst case scenario, it’s time to go for the “nuclear option”—a remote memory wipe. This is an app or function (which must be installed and setup in advance) that wipes all data from both the device and (if present) SIM chip—apps, call history, contacts, documents, texts, emails… everything. Some of the more extreme remote wipe tools will nuke the entire operating system. Once a remote wipe function is activated by the user, the device basically performs the electronic equivalent of hara-kiri as soon as it is powered on. The downside to a remote wipe is that the device is lost for good. Of course, that would likely have happened anyway if it was stolen. The upside is that since there is no data left to be retrieved, no PHI breach can occur, which means no HIPAA violations (the fines from which would undoubtedly be way more expensive than the device).
Any healthcare professional should know by now that emailing PHI is a very big HIPAA no-no. Another off limits method for sharing PHI is via non-private file-sharing services such as Google Drive or Dropbox (as New York-Presbyterian Hospital found out the hard way), as these are public cloud-based platforms that are not at all secure enough to meet HIPAA standards. Any file shares or data transfers containing PHI must be done via secure and private means. One possibility is to use an SFTP Client for secure file sharing. A second option, for those who like the idea of using a more cost-efficient cloud-based platform, would be to purchase a private, HIPAA compliant cloud.
In a BYOD environment, retiring any device—whether you are replacing it, repurposing it, or just changing to a different device—requires a bit more than just sticking the old device in a drawer. In fact, not properly dealing with old technology is a really good way to get your whole organization in hot water with HHS (just ask the folks at Children's Health). Always make sure that all PHI data has been deleted from any device before it is replaced, loaned, repurposed, or discarded. If you cannot or do not want to delete PHI from a retired device, you will to keep it locked and secure until this can be done.
This is one that tends to get overlooked, especially by smaller offices. Some offices have just one Wi-Fi router, which they use to conduct business as well as to offer customers “free Wi-Fi.” This is a terrible idea. Your office Wi-Fi router is connected to your network, which means it is also connected to PHI, which means it must be password protected (using secure password management practices). No one, aside from you, authorized staff members, and IT personnel, should have access to your office Wi-Fi. If you want to provide complimentary Wi-Fi for customers to use in your waiting room or lobby, you will need to set up a secondary router or hotspot for them to access that is not connected to your office network.
You’d think this one would be fairly self-explanatory, and it sort of is when it comes to laptops and PCs. However, mobile devices often get left out when folks think about antivirus (AV) software. In fact, many people are not even aware that AV software is available for mobile devices. Any device being used in a BYOD environment needs to have a well-vetted AV installed (Kaspersky Labs offers one that is excellent). Keep in mind, though, that even the best AV can only hunt what it knows to look for. So it’s important to ensure that everyone in a BYOD environment keeps their AV enabled and up-to-date on all connected devices (AV on mobile devices can usually be set to automatically update).
As for the last two items—Mobile Device Encryption and Creating a BYOD Policy—those really need to be discussed in detail in separate articles. No worries, however, as we will be covering both of them at length in the final two installments of this blog series next week (so stick around for those).
In Part 3 of this series, we will be discussing the various ins and outs of encryption for laptops and mobile devices—what encryption is, why you need it, and what kinds are available.