in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Medical BYOD: Use Of Smartphones Means HIPAA Breaches To Increase

BYOD is making quick strides into numerous businesses, agencies, and organizations.  It might not be surprising to find, then, that many medical establishments are either taking interest in the "Bring Your Own Device" trend or actively embracing it.  However, BYOD requires proper security, a couple of reports warn.

HITRUST and Ponemon: Most Breaches from Loss or Theft

The site csoonline.com notes that HITRUST – the Health Information Trust Alliance – and the Ponemon Institute have released reports about data breaches in medical settings.  The HITRUST report notes that between 2009 and 2012, data breaches decreased at hospitals and health systems, but increased in smaller practices.  The latter account for 60% of the 459 breaches that involve 500 or more people.  The report also notes that as of May 2012, approximately 57,000 breaches involving less than 500 have been reported to the department of Health and Human Services.

The Ponemon report found that "94% of healthcare organizations reported at least one data breach during the past two years. [45%] reported more than five breaches."

And, despite all the coverage devoted to hackers and malicious software being spread online, the cause of the breaches, according to both reports, were skewed towards the ordinary:
Both studies found that the most common causes of the breaches were not from hacking or malware but the loss or theft of devices and employee errors. The HITRUST report found that only 8% of the breaches were caused by hacking and/or malware. [csoonline.com]
In other words, a FIPS 140-2 compliant encryption software package would significantly cut down on medical data breach incidents.

What Does This Mean for BYOD in Medical Settings?

What do people tend to lose more than laptops?  Phones.  Statistics-wise, this only makes sense because of the numbers involved: on any given day, you've literally got hundreds of millions of people moving about with cellphones in the US.  How many actually carry their laptops everywhere they go on a daily basis?  Whatever the actual figure, it's probably many factors lower than mobile phones.

Could mobile phones and other smartdevices become a new frontier where data breaches are concerned?  They already are, according to Ponemon:
Ponemon reported that 81% of its survey respondents said they allowed BYOD to access organizational data, and 54% said they were not sure if those devices were secure. [csoonline.com, my emphasis]
Csoonline.com also notes that a separate report showed that:
two-thirds of hospitals ... reported that their nurses use their personal smartphones while on the job for personal and clinical communications ... [but] IT support for those devices is lacking
Uh....what?  Medical organizations tend to be one of the most regulated.  HIPAA concerns, at least, should be on the forefront of anyone working in such a setting, be it a doctor, nurse, security guard, or administrator.  That includes IT personnel.

The fact that they are allowing personnel to move data in and out of the organization in devices that are not secure is bonkers.  Yeah, there are other words I could have used, but that's what it is: bonkers.

Perhaps some think that the use of BYOD currently occupies a legally gray area where one's not sure whether the organization or the individual would be to blame if a data breach were to occur.  Although I'm not a lawyer, I can vehemently assert that no such gray area exists: under HIPAA, it's the "owner" of the data that is held responsible.  Since patient data is legally collected by the medical organization, it is up to the organization to ensure that the data is not breached.

So, if PHI ended up on someone's iPhone; this got lost; was retrieved by a well-meaning citizen; and he/she poked about in the device and found this PHI – that is a HIPAA data breach.

In order to ensure this doesn't happen, it's advised that the devices in use at least be encrypted and secured by a password.  BYOD management software like AlertBoot's Mobile Security can help ensure that smartphones and tablets are properly encrypted and secured with a password that is strong (and also guarantee that the user doesn't turn off this protection).

Related Articles and Sites:
http://www.csoonline.com/article/723678/with-byod-data-breaches-just-waiting-to-happen
<Previous Next>

Australia Encryption Problems: Russian Hackers Use Crypto For Data Ransom

Encryption Now 5th Most Used Data Protection Technique

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.