OCR: Mobile Devices Still Pose Security Risk to Health DataRegulators Remind Entities to Take Key Steps to Prevent Breaches
While the federal health data breach tally show a trend toward far fewer incidents involving the loss or theft of unencrypted mobile devices, regulators are reminding healthcare entities to remain vigilant to the risks involved in using laptops and other portable computing devices.
See Also: A Guide to Passwordless Anywhere
"As mobile devices are increasingly and consistently used by covered entities and business associate and their workforce members to store or access electronic protected health information, it is important that the security of mobile devices is reviewed regularly, and modified when necessary, to ensure ePHI remains protected," says the Department of Health and Human Services' Office for Civil Rights in a new cybersecurity newsletter spotlighting mobile security.
Because their size and portability puts them at greater risk for being lost or stolen, mobile computing devices should be encrypted for data at rest as well as for data in transmission unless covered entities and business associates can document in a risk assessment other reasonable and appropriate controls being used instead, OCR notes
"A lost or stolen mobile device containing unsecured ePHI can lead to a breach of that ePHI which could trigger HIPAA breach notification obligations for a HIPAA covered entity or its business associate," OCR writes.
"Additional risks could arise when using personal mobile devices to store or access ePHI. If an entity does not permit the use of personal mobile devices for work activities, especially activities involving ePHI, policies should be in place and enforced that make such prohibitions clear. Entities permitting the use of personal mobile devices must include such devices in their enterprisewide risk analysis and implement security measures sufficient to reduce those risks to a reasonable and appropriate level."
Until about 2015, OCR's HIPAA Breach Reporting Tool - commonly called the "wall of shame" - regularly showed that the most common cause of major breaches affecting 500 or more individuals was the loss or theft of unencrypted devices.
As of Nov. 1, a total of 2,109 major breaches affecting more than 176.2 million individuals had been reported to OCR since regulators began keeping a tally in September 2009. Of those, 673 breaches - or about 32 percent - involved theft or loss of unencrypted computing and other portable devices, affecting a total of 21.2 million individuals.
But as cyberattacks on healthcare sector entities have become more common - and entities have become more aware of the importance of encrypting their mobile devices - that breach trend has been shifting.
Only 8 percent of total breaches added to the tally this year - 34 breaches impacting 172,000 individuals - were reported as involving lost or stolen unencrypted computing devices or portable electronic devices.
The bigger cause? Some 123 breaches - or 42 percent of those added to the tally so far in 2017 - were reported as hacking/IT incidents, impacting 3.2 million individuals.
Rebecca Herold, president of Simbus, a privacy and cloud security services firm, and CEO of The Privacy Professor consultancy, says she's seen improvements in the past few years in the security practices that covered entities, and increasingly their business associates, have in place for mobile devices.
"BAs are being asked more often from their CEs - when the CEs are doing their due diligence and performing risk assessments, audits, and/or asking BAs to complete security evaluations - if they have comprehensive mobile computing safeguards implemented, including for remote wipe capabilities, encryption, etc.," Herold says. "More CEs are also not using BAs who don't have such safeguards in place."
Overall, CEs and BAs are getting better at protecting data on mobile devices as a result of four key factors, Herold says. Those include greater awareness of the risks; increased awareness of larger fines in OCR's HIPAA settlements after breaches involving unencrypted mobile computing devices; inexpensive ways to implement mobile security controls; and BAs being explicitly required to have such controls in place.
More Than Encryption
But beyond breaches involving lost or stolen unencrypted mobile devices, other kinds of incidents put mobile patient data at risk for compromise, Herold says. Those include breaches involving ransomware, key loggers and data theft through unsecured Wi-Fi, she says.
"Since most workers use mobile computing devices for work and non-work, those are often hit. And, disturbingly, most employees who get hit by ransomware simply go ahead and pay it, often unbeknownst to their employers," she says. One recent study showed that 59 percent of employees who have been hit by ransomware at work went ahead and simply personally paid the extortion money, she notes.
Meanwhile, key loggers "are increasingly being used, and often loaded through social engineering, [users] visiting infected sites, not securing USB ports on the devices ... using public unsecured Wi-Fi and using public USB charging ports," she says.
"The large majority of people still are quick to jump on any wi-fi access point, even if the associated network is unsecured. This opens them up to having their mobile computing device compromised, and then breached, in a wide number of ways, including access to and stealing the data on their devices."
Weak or missing authentication is still a significant problem, especially for employee-owned devices used for work activities, Herold says.
"Most people simply view it as a hassle to have to unlock a mobile computing device, and even that split second of entering a password or performing another type of authentication step is viewed as slowing them down too much," she says.
Meanwhile, other risks involve the family members and friends of mobile healthcare workers, she notes. For instance, there have been reported breaches involving workers' family members and friends using work devices to post patient data, photos or videos to social media sites. "CEs and BAs need to have documented policies and supporting procedures that cover [these] issues and require that if a computing device is used for business purposes, it should not be used by any others for nonwork activities," Herold says.
Besides spotlighting the importance of encrypting mobile devices, OCR in its newsletter reminds covered entities and business associates of other risks as well as precautions to take.
"Mobile devices, similar to many other computer systems, may be delivered by the vendor with default settings which may be unsecure. Such default settings may enable connectivity to unsecure Wi-Fi, Bluetooth, cloud storage, or file sharing network services," OCR writes.
"Entities should take steps to ensure that mobile devices are properly configured and secured before allowing the device to create, receive, maintain, or transmit ePHI." Workforce training should include educating staff on the dangers of using unsecure Wi-Fi networks, such as public Wi-Fi offered in airports and coffee shops, as well as unsecure cloud storage and file sharing services, OCR notes.
Also, workers need to be aware of the risk posed by malware, OCR writes. "Just as with other computer systems, malicious software that infects mobile devices could provide access to unauthorized individuals which could result in a breach of PHI."