Health care facilities are trying to get a handle on introducing and managing mobile devices in their facilities, but are finding it difficult to keep their data safe. If the loss of unencrypted laptops with confidential patient data has not already earned a facility a place on the Department of Health and Human Services (DHHS) wall of shame, the risk of data being accessed and stolen internally is sure to follow.
So far, over 25 health care facilities and associated businesses have been embarrassed this year by the August 2009 Breach Notification Rule included in the Health Information Technology for Economic and Clinical Health (HITECH) Act – where facilities and businesses are required to notify the appropriate agencies that a data breach has occurred which compromised the protected health information (PHI) of 500 individuals or more. A significant amount of breaches listed on the DHHS site include lost or stolen laptops and unauthorized access or hacking of the network.
The latest occurrence was the loss of a laptop in a doctor’s office in Miami FL, where 1,137 patient’s PHI was exposed. One of the largest incidents reported last year was AvMed, Inc.’s report of two unencrypted laptops stolen from a conference room, which contained names, dates of birth, addresses, social security numbers, and personal health information of nearly 1,220,000 patients. According to the U.S. Department of Homeland Security’s (DHS) National Cybersecurity and Communications Integration Center “poor physical security protective mechanisms or operational security awareness make it easy for thieves. In addition, lack of hardware encryption allows thieves direct access to all data stored on the device”[1].
In addition to weak physical security, internal access controls, and weak passwords, the DHS has found increased vulnerabilities in mobile devices that contain commercial operating systems, which are vulnerable to malware and viruses. This includes not only mobile devices connected to the network, but all mobile devices used by the organization. When the device is connected to both the internet and the hospital network, it poses a higher risk for breaches. Devices are vulnerable to cyber attacks that can take advantage of software vulnerabilities, lack of software patches, firmware vulnerabilities, and wireless connections – which could open the capabilities to gain access to the health care network. An example is the doctor’s of the University of Chicago’s use of iPads that were affected by a vulnerability in the Apple IOS, where malware was found affecting iTunes users who connected their iPads to Windows operating systems. Backdoor. Bifrose.AADY allowed remote control access by a third party and “pulled serial numbers and read passwords for different programs including POP3 email and any protected storage”[2]. Malware related threats to computers on the network can occur when PHI data is synced and transferred with improperly configured mobile devices, introducing a new avenue of malware transfer.
The result of PHI exposure becomes a violation of HIPAA regulations which monetary penalties; reputation damage; public embarrassment; lawsuits; and possible loss of the medical practice or business can occur. Additionally, the patients who were involved in the incident can face both identity theft and the use of their personal data being sold on the black market.
There is no silver bullet in completely eliminating the risks of mobile devices on the network. However, there are ways to reduce the risk of exploitations, while performing due diligence to minimize penalties and lawsuits resulting from HIPAA/HITECH violations. The best approach is always a solid evaluation of an organization’s information security program. It is absolutely vital that a security program not only include identifying, assessing, and remediating high risk areas, but to ensure that all controls – technical, administrative, and physical – are working in synchronization to create a holistic security program. These three components must integrate seamlessly in order to eliminate gaps in security. Gaps in security controls can easily lead to vulnerabilities.
The benefits of using a security consulting firm are endless. Not only can they become a strategic partner in an organization’s efforts to maintain compliance, but they can also provide all of the components that would otherwise be inaccessible – which can include the cost of finding and maintaining staff with years of expertise; in-depth knowledge of current health care IT regulations; contracted IT staff with current technology skills; and most importantly, objectivity. Hackers, as well as internal and external threats are always one-step ahead of the security industry – making it impossible for security administrators to stay on-top. However, minimizing threats, continuously updating their holistic security programs, and utilizing the expertise of security consultants can make a difference.
[1] National Cybersecurity and Communications Integration Center, Attack Surface: Healthcare and Public Health Sector (U.S. Department of Homeland Security, 2012) 7.
[2] National Cybersecurity and Communications Integration Center 4.