13 security tips as part of a data breach response plan to combat mobile device threats in the BYOD era @ your HIM/MR office

Posted on by

I took you on a rendezvous about the Bring-Your-Own-Device(BYOD) phenomenon especially talking about mobile devices that can wreak havoc on a hospital in my two previous posts, The perils BYOD bring to healthcare – but before that, what is a mobile device exactly? and Patient data breaches in the BYOD and BYOC era.

Here are some pointers I picked up while fact-finding on BYOD and some 13 security tips as part of a data breach response plan to combat mobile device threats to a healthcare setting like at a hospital, and in essence as a focus of this website-blog, at your Health Information Management(HIM)/Medical Records(MR) Department backyard especially if you work with Electronic Medical Records(EMR).

  1. Get help from the IT department of your hospital to install and advice on USB locks for a low cost solution to easily plug ports and offer an additional layer of security when encryption or other software is installed on computers, laptops or other devices that may contain protected health information(PHI) or sensitive information, to prevent unauthorised data transfer (uploads or downloads) through USB ports and thumb drives
  2. Lost or stolen computing or data devices are the number one reason for healthcare data breach incidents. Consider geolocation tracking software or services for mobile devices that can immediately track, locate, or wipe the device of all data
  3. Brick the mobile device when it is lost or stolen
  4. All mobile devices including USB drives, should be encrypted if they will be used remotely and if there is a possibility sensitive data will be stored on those devices. Require the use of company owned and encrypted portable media
  5. Laptops put in “sleep” mode, as opposed to shutting them down completely, can render encryption products ineffective.
  6. Once a password is entered, a laptop is unencrypted (and unprotected) until the laptop is booted down. Simply putting the laptop into “sleep” mode does not cause the encryption protection to kick back in. A laptop that is lost or stolen while in “sleep” mode is therefore completely unprotected. Employees should be clearly advised to completely shut down their laptops before removing them from the workplace (e.g. when taking them home for the evening) and to only use the full shut down function, rather than “sleep” mode, when traveling or leaving their laptop unattended in an unsecure environment. This policy should be strictly enforced and audited.
  7. Limit the inappropriate use of personal devices (such as strong policies, training, and sanctions for noncompliance). To further reduce the risk, consider the root cause of the problem—what benefits are personal devices offering to employees that the organization’s systems are lacking. For example, if clinicians are texting PHI from personal devices because a hos­pital does not offer a similarly convenient means of communicating, then the hospital may want to consider whether it can offer a secure alternative to texting.
  8. Don’t permit access to PHI by mobile devices without strong technical safeguards: encryption, data segmentation, remote data erasure and access controls, VPN software, etc.
  9. Educate employees about the importance of safeguarding their mobile devices by not downloading applications and free software from unsanctioned online stores that may contain malware, turning off security settings, not encrypting data in transit or at rest, and not promptly reporting lost or stolen devices that may contain confidential and sensitive information
  10. As Electronic Protected Health Information (EPHI) can be accessed from a multitude of mobile devices, risks of contamination of systems by a virus introduced from a mobile device used to transmit EPHI, significantly increases.  Thus, implement an EPHI security by purchasing cyber liability insurance
  11. Ensure that the BYOD mobile devices(the user owns and is primarily in control of the device—not IT) coming offline are adequately secured and checked before disposal or donation. So once a user upgrades to a new smartphone or mobile device, the devices coming offline are almost always overlooked. Such smartphone and other devices are typically given to children to play with, donated to various charity organization or handed down to other family members—in many cases with­out confirmation that they’ve been sufficiently wiped and potentially leaving sensitive, confidential and other data intact. The result is a constant stream of devices going offline and posing significant data breach risks
  12. Have a proactive data management strategy to protect critical patient data and to allow access to patient data on an as needed basis, a stragety adopted from data protection concepts of the financial industry when for example, credit cards are now increasingly sent using tokenization technology. This technology can be adopted for the healthcare industry
  13. Transparency and End User Consent Opt-In when smartphone companies collect, share and/or store personal information; conduct a thorough technical review/risk audit of new technologies before implementation for use by patients and/or employees

I have visual!

There are many infograhics on BYOD but I like this one because it relates quite closely to all the above I have posted about.

The infographic below is a summary of findings from a study commissioned  by ESET, an IT security company founded and headquartered in Bratislava, Slovakia in 1992, which develops leading-edge security solutions against cyber threats. The study was to help companies gain a better understanding of the scale and scope of risks identified with BYOD when companies adopt a BYOD mindset, but should make sure to implement a BYOD policy, as it is no laughing matter.


Source : vbridges.com/

References:
Largely from ID Experts, idexpertscorp.com/, with cross-references from:

Elizabeth B., International Perspectives in Health Informatics, 2011, IOS Press BV, Netherlands

Karen A. W, Frances W.L and John P.G, Managing health care information systems : a practical approach for health care executives, 1st ed, 2005, Jossey-Bass, A Wiley Imprint, San Francisco, USA

Kenneth C.L and Jane P.L, Management Information Systems Managing The Digital Firm, 12 ed, Prentice Hall, 2012, New Jersey, USA

Keri E.P and Carol S.S, Managing and Using Information Systems A Strategic Approach, 2010, John Wiley & Sons, New Jersey, USA

Leave a Reply

Your email address will not be published. Required fields are marked *