2013 HCCA: Mobile Threats and How Healthcare Can Reduce Risks

Online Tech is exhibiting HIPAA hosting solutions at booth #919 at the Health Care Compliance Association (HCCA)’s 17th Annual Compliance Institute Conference April 21-24 in National Harbor, MD. The conference draws in healthcare compliance professionals, risk managers, privacy officers, healthcare CFOs and CEOs, and more.

Mobile Threats and How Healthcare can Reduce Risks
Speakers: Rick Cam, President & Co-Founder, ID Experts
Ted Kobus, Co-Leader, Privacy & Data Protection, Baker Hostetler

Rick and Ted opened with a couple of questions for the audience:

How many of your organizations allow use of personal mobile devices in your practices?
Does your organization have policies and best practices in place for using those devices?
How many are in compliance roles within your organization that set those policies and standards?

They cited a study that had been conducted to find how many organizations allow their employees to bring their own devices (BYOD) to work. Roughly 81% answered that their employees can bring their own device to work. 53% of those surveyed are allowed to use unsecure wi-fi access. They continued by asking how many people in the room had longer than a 4-digit password for the cell phones and tablets. Ted and Rick went on to explain that most password policies within organizations are inconsistent across the board for devices that are used for or contain PHI (protected health information).

While they noted that cell phones and tablets are a great platform for collaborating and sharing information across organizations, how organizations deal with inconsistencies in their policies will determine how well they are able to mitigate risks in relation to a BYOD policy for employees.

Creating BYOD policies are necessary for organizations to mitigate risk and there are several ways to go about implementing those policies and creating a culture of compliance. Treating the device as corporate property is the quickest way to begin installing a culture of compliance in an organization where BYOD policies are in place. Employees wouldn’t be quick to share a company-owned phone or laptop with their spouses and children.

Another solution to mitigate the risk that is inherent with these devices is to install encryption. Ted and Rick shared several examples where devices had been stolen and encryption could helped prevent the breach of PHI data if they had been in place and turned on. Just because the device requires a password, does not mean that the device is encrypted.

An audience member raised the question as to whether a BYOD is really in the best interest of an organization. The audience member pointed out that their organization issues every employee a company owned iPhone that is encrypted, but several employees still insist on being able to use their own device and they wanted to know how to deal with those kinds of situations when they arise.

Ted and Rick suggested having an organization wide training day for policies and best practices for the use of personal devices, citing that a CEO is not going to want to attend an entire of training and that may trickle down encouraging employees to simply use the organization issued device.

BYOD policies, information that may have been on one device gets moved to another device. Encrypting individual files vs. encrypting the entire device. Just because there is a password on it does not equal encryption.

Text messaging is another issue for many organizations at this point in time and the usage of text messaging is growing rapidly. Many organizations, again, have not yet identified all of the risks associated with sharing information via text message. By educating people to slow down and check the information they are sending, organizations will be a step ahead and better able to mitigate risks associated with text messaging.

Key lecture takeaway?
“The only thing worse than not having a policy? Not following your policy.”

Find out how to handle mobile security in your workplace by reading our Mobile Security white paper. This white paper explores approaches to mobile security from risk assessment (what data are truly at risk), enterprise architecture (protect the data before the devices), policies and technologies, and concludes with an example of a mobile security architecture designed and implemented within a hospital environment in which both enabling caregivers and protecting privacy, integrity, and confidentiality are paramount.