This is the second in a two-part series on issues related to the IoT, BYOD and cybercriminal attacks on ePHI. We suggest started with part I if you have not read it.
The internet of things (IoT) includes personal mobile devices and wearables that employees and contractors use daily, inside and outside of the workplace. Drawing boundaries for device regulation has been a challenge for leadership teams, as the line between professional and personal are blurred. It’s clear, however, that healthcare organizations who take a proactive approach to secure all network-connected devices and ePHI gain an advantage: They reduce the risks for HIPAA violations, costly data breaches, and reputational damage.
“The challenge is that mobile technology and all of its related benefits have become the norm in real-time communication in our society. When applied to the healthcare space, however, a person’s privacy and security must be considered equally as important as convenience and cost,” said Guillermo Moreno, vice president and managing director at Experis Healthcare Practice.
Why Do Health Care Organizations Gravitate Toward BYOD?
Advancements like BYOD (Bring Your Own Device) capabilities appeal to companies because they reduce immediate costs, enhance collaboration, and give employees access to current technology. BYOD eliminates the need for professionals to carry around two phones and often encourages creative problem-solving.
In the healthcare industry, BYOD can offer professionals increased flexibility, fast access to pertinent information—and can be used to enhance patient services. In the industry today, 68% of health care service providers believe their organizations will completely support BYOD by 2018, and 51% already manage a policy for BYOD. Without BYOD policies, some organizations simply cannot fund these new advancements.
BYOD Vulnerabilities and Cyber-Attacks
BYOD programs create multiple vulnerabilities within an organization’s technical framework. One device can present several weaknesses including:
- Internet connectivity. Within a private network or on a cellular network, device users enjoy relative safety. If users connect to public Wi-Fi, however, they expose themselves to criminals running software to scan for entry points.
- Social engineering. How a user behaves on a mobile device also affects its cyber-vulnerability. In socially engineered attacks, an employee may unwittingly play a role in a data breach. Using a plea for help, a notice from a bank, or a compelling offer, criminals bury malicious software within seemingly legitimate messages.
These examples represent a limited number of tactics criminals may use to gain access to protected health information. If a criminal intends to compromise ePHI, he or she may try to access both data in motion (during transmissions) and data at rest (while stored). Organizations can invest in a current BYOD policy, technical safeguards, and employee education to minimize the risks associated with these and other vulnerabilities discussed in part I.
Audit Existing BYOD Policies
HIPAA regulations, especially the HIPAA Security Rule, provide cybersecurity guidance but do not constitute a set of comprehensive standards or BYOD rules. In addition to the existing HIPAA regulations and recommendations, healthcare organizations need to consider vulnerabilities associated with the IoT, network security, and physical infrastructure.
Audit existing BYOD policies with a wide cybersecurity lens. Failing to do so ultimately puts ePHI at risk.
To maintain compliance and manage BYOD in the workplace, consider the following components within a BYOD policy that go beyond regulatory compliance:
- Relevancy. Every technology-based policy hinges on its current relevancy. Review and update the existing policy as needed to account for changes in the threat landscape, device advancements, and industry best practices.
- Attack prevention and management. Many BYOD policies cover the basics, including system setup and regulation compliance, but fail to address additional cybersecurity considerations. Outline prevention and response activities to clarify in-house processes.
- Rights and responsibilities. Organizations set up BYOD programs differently, but any technology policy represents a two-way street. The organization plays a role in security and data privacy, as does the user. Clearly outline each device owner’s rights and responsibilities, including device/app/data ownership, and how the business may interact with their personal information on a device.
Consider the policy as a subset within a larger cybersecurity program. Incorporate general cybersecurity considerations as they apply to mobile device usage to cover all components.
“Ultimately, the requirements for securing the IoT will be complex, forcing CISOs to use a blend of approaches from mobile and cloud architectures, combined with industrial control, automation and physical security,” said Ganesh Ramamoorthy, a research vice president at Gartner. “However, CISOs will find that even though there may be complexity that is introduced by the scale of the IoT use case, the core principles of data, application, network, systems and hardware security are still applicable.”
Embrace Technical Safeguards
In addition to a formalized policy, create processes and invest in solutions to improve compliance and overall security. Protect data with the following technical safeguards:
- HIPAA-compliant hosting. All digital hosting solutions must adhere to HIPAA regulations and support the needs of mobile users. Consider solutions that go beyond secure hosting to offer multifaceted security solutions, including risk-auditing services, malware protection, secure log management, and encryption for data in motion and data at rest. Because both you and your service providers are liable under HIPAA, you need a reliable provider with compliance expertise.
- Device and data authentication controls. Two-factor authentication controls on devices and within applications create multiple barriers to commonly targeted endpoints.
- Remote lock/wipe. Organizations can reduce the risk of a data breach and minimize the effects of an intrusion with remote lock-and-wipe functionality on BYOD-approved devices. Mobile device management (MDM) solutions provide remote lock/wipe functionality and other safeguards.
- Encryption. In the healthcare industry, data is more valuable than the device. Consider cutting-edge encryption for data in motion and data at rest to protect health information. Use the Cryptographic Module Validation Program (CMVP) from the National Institute of Standards and Technology to maintain robust encryption standards.
Figure 1: Example Policies for IoT and BYOD
These safeguards protect the devices and the data used in healthcare settings, but one more component will strengthen any BYOD cybersecurity program—employee education.
According to Ponemon Institute research, factors contributing to data breaches include employee negligence, often associated with their mobile devices and wearables. Educate, train, and remind employees of best practices and the risks of noncompliance. Every person who can potentially access sensitive health information plays a role in safeguarding your assets. Encourage all employees to report suspicious activities and use your organization’s best practices.
Embrace BYOD with Strong Risk Management
The BYOD and wearables phenomenon will only continue to grow. Healthcare organizations should use proactive measures to protect data with the latest security technology on top of what is already required to maintain HIPAA compliance. Create a culture of security for employees, service providers, and patients. Businesses can gain all the benefits of IoT, including mobile devices, without significantly increasing cybersecurity risks.
Feel free to reach out to our team of experts to see how we can help strengthen your IT infrastructure and security posture.
Additional Resources on This Topic:
*Source: HIPAA Journal