With BYOD, data breaches just waiting to happen

The healthcare industry's track record on protection of patient data remains disturbingly poor, even after more rigorous federal regulations took effect in 2009, say two recent reports. And it may get worse before it gets better if the industry does not find a better way to protect the patient information carried with smartphones.

A report issued last week by the Health Information Trust Alliance (HITRUST) found that data breaches at hospitals and health systems declined between 2009 and 2012, but increased in smaller physician practices, which accounted for more than 60% of the 459 breaches analyzed.

Those breaches involved more than 500 people, but HITRUST also found that as of May 2012 there had been 57,000 incidents involving fewer than 500 people.

A second study, by the Ponemon Institute, found that 94% of healthcare organizations reported at least one data breach during the past two years. Forty five percent reported more than five breaches.

Both studies found that the most common causes of the breaches were not from hacking or malware but the loss or theft of devices and employee errors. The HITRUST report found that only 8% of the breaches were caused by hacking and/or malware.

And, as is true in just about every other sector of the economy, the smartphone is becoming ubiquitous, which means employees using their own personal smartphones for work, known as BYOD (Bring Your Own Device), is a fact of life. Ponemon reported that 81% of its survey respondents said they allowed BYOD to access organizational data, and 54% said they were not sure if those devices were secure.

HealthcareITNews reported last week that a survey from Spyglass Consulting Group found that, "more than two-thirds of hospitals surveyed for a new study reported that their nurses use their personal smartphones while on the job for personal and clinical communications ... [but] IT support for those devices is lacking."

[Related news:Ã'Â Google's Android app scanner falls short in security test]

Sarah Kliff reported recently in the Washington Post's Wonkblog that doctors emailing with their patients is becoming increasingly common.

That means that the industry needs to pay particular attention to smartphones, wroteÃ'Â Art Gross at the HIPAA Secure Now blog.Ã'Â In a post titled, "Your Smartphone Will Cause Your Next Data Breach," Gross aims his argument at healthcare workers who don't think they have any patient information on their smartphones.

"Smartphones can be used to access EMRs [electronic medical records], PACS [picture archiving and communication system], to provide remote access to [spreadsheets and documents] and run thousands of applications that may contain patient information," he wrote.

The risk is there even if a worker only uses a smartphone for email. "In many healthcare organizations, email is used as a communication vehicle, [and more and more email may contain information about patients," he wrote. "Healthcare organizations use email to communicate patient test results, follow-up conversations with patients, recommended prescriptions, etc."

And even if email is used only for internal communications, and not with patients, "all those emails with patient information end up in your inbox. Your inbox is then replicated to your smartphone," Gross wrote.

If the phone is then lost or stolen, the patient data is breached. The Ponemon study said the combined cost of data breaches to the healthcare industry is nearly $7 billion annually.

Gross said that at a minimum organizations should limit the amount of patient information in emails, mandate a start-up password plus an inactivity timeout, and require data encryption.

Troy Gill, senior security analyst at AppRiver, said technology is available today for most devices to tackle key security issues. "Enforcement of password locking and remote data wipe are critical -- both of which can be achieved through [Microsoft] ActiveSync or BES [BlackBerry Enterprise Server], as well as third-party [Mobile Device Management] solutions," he said.

Gill said another key step would help: "Corporations should require a VPN [Virtual Private Network] connection when accessing their networks from any device.

"And, since most of the mobile malware that is being discovered lately has been coming in the form of malicious app installations, companies may consider limiting the types of apps that can be used on a company device," he said.

Chris Gray, Accuvant LABS practice manager, agreed that remote wiping capability is critical. "[It] can not only prevent data loss but also provide organizations with the ability to assure their management that the loss event does not require further legal or compliance mitigations."

Chris Petersen, CTO of LogRhythm, is not surprised that smaller organizations are much more vulnerable to data breaches. "Many smaller practices barely have a full-time IT staff much less someone focused on security," he said. "They should look to service providers and [resellers] that can recommend technology and approaches that reduce risk with a cost they can afford. Fortunately there are a lot of good solutions, many of them affordable."

But until they can bridge that security gap, using personal devices at work can be too dangerous. "They might be well served to ban BYOD," he said.

All of the experts agree that smartphones will continue to be lost and stolen. "There is no fix for this," Petersen said. "If organizations don't have the proper technical controls in place, they will be helpless when it comes to ensuring a lot device doesn't mean lost personal information."

Gray said the loss of mobile devices is a given, and that organizations should develop a multi-tier approach to dealing with this issue, that includes encryption, remote wiping and educating employees to report a loss or theft immediately.

Gill agreed, noting what's at stake. "It's much more cost-effective to make sure you have an effective way to protect the data that's on them, which in most cases is far more valuable than the devices themselves."

Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationssecuritymobile securitydata breachPonemon InstitutesoftwareData Protection | Wirelessdata protectionBYODdata breaches

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place