In a time when smartphones seem ubiquitous, the pressure for healthcare organizations to allow their employees to access work resources with their personal mobile devices may be overwhelming. But this presents a variety of potential problems that are especially troubling in the shadow of the Anthem data breach and others like it. What can healthcare IT and security staff do to balance these opposing forces, to allow better access without giving criminals the keys to the castle?
What are criminals seeking?
The recurring theme I’ve most often heard with regard to security issues in medical practices is that there is a fundamental misunderstanding of what criminals are after. While some criminals may be after blackmail-worthy details of health problems, in the majority of data breaches the miscreant’s goal is to obtain a large quantity of salable information to be used for medical or financial fraud. This list of valuable data comprises much of what was lost in the Premera and Anthem breaches as well as other notable recent healthcare breaches:
- Names of patients and employees;
- Physical and email addresses;
- Medical ID numbers;
- Social Security numbers; and
- Payment card data.
This information can be sold in bulk, with more complete record sets fetching a higher price, as they enable more lucrative fraud without the need for phishing for additional information from the victim. Medical ID and Social Security numbers are especially valuable for criminals, as payment card fraud is typically identified and blocked much more quickly; most banks have robust fraud-detection programs, and customers check payment cards more regularly and thoroughly than they do credit reports or medical reports.
While medical businesses may be aware of which data are financially lucrative, they also may not understand how criminals may try to access it. While sometimes criminals seek to access databases directly, they can just as easily find other ways into the network. Attackers often try to break into machines that are viewed as less sensitive, which may have less stringent security, and work their way across the network to the more lucrative targets. Or they may phish login credentials from staff members, so that attackers can appear to be someone who is authorized to access the necessary resources to get to the database. This can negate the beneficial effects of encrypting sensitive data if the criminal gains the necessary permissions to access the unencrypted information.
In light of this, organizations should be implementing layered defenses so that even if criminals gain access to machines or user credentials that get them into the network, these attacks can still be stopped by other means. This means healthcare organizations need to have a certain level of control over the computing environment of their users. But how do you do this when users bring their own devices, especially mobile devices, which involve a significantly higher risk of loss or theft?
What are the unique challenges of mobile security?
It’s one thing to secure computers that physically reside within your own building. They can be locked away, and IT or security staff can access them whenever there is a problem. But when devices belong to individuals rather than to the business itself, especially when devices are carried in pockets or purses and they can be easily lost or stolen, the ability to access sensitive data remotely can create a huge risk.
The devices people use may be configured at wildly different levels of security depending on the operating system and other software on the devices, and which settings are enabled. For this reason, many security practitioners have redubbed the acronym “BYOD” from “bring your own device” to “bring your own destruction”.
But there are ways to mitigate these risks. To this end, healthcare IT and Security should be asking and answering a few salient questions:
- Is it better to allow users to bring whatever device they wish, or to choose from a short list of approved devices?
- What should businesses require of users accessing work resources remotely?
- Are there ways to mitigate the risk of lost or stolen devices?
- Are there ways to help secure connections to work resources?
Let’s look at the issues within each of these questions to consider how best to answer them.
User choice vs. the employer’s choice of mobile device
When a healthcare organization is making the decision to allow staff to access work resources remotely, the relative costs of various options are likely to be a deciding factor. Many organizations may feel pressured to allow users to bring any device of their choosing, but it is becoming more common to provide employees with an approved device or a choice of devices from an approved list.
The biggest factor in favor of allowing users to bring their own personal device may initially seem to be the cost of providing each employee with a device and monthly service charges. If employees are reimbursed for the cost of the service of their own devices, this cost difference may be less daunting. But it may be easy to forget that, especially with the possibility of HIPAA fines after a breach, there are other costs that need to be assessed than just those of the device, plus voice (where applicable) and data service. Healthcare organizations should also consider the extra costs incurred in securing and supporting these devices.
When employees are in charge of updating and upgrading their devices, as well as what software they choose to install, support costs can be significantly higher: problems may be more complicated to resolve. And if those users are the ones deciding what security settings to enable or disable, this may expose the entire facility, staff and patients included, to greater security risks if that device is lost, stolen, or breached. In the end, it may be more cost effective to offer employees mobile devices that have mobile device management software installed, which can standardize the software and settings throughout the company.
Remote resource requirements
The decision to allow employees to access corporate resources with mobile devices is a delicate balancing act between the employees’ rights and the business’ legal obligation to protect data. This is particularly true for healthcare businesses, when HIPAA regulations come into play.
Whether or not a business allows employees the ability to choose to use their own devices to access network resources, it is important to have them read and accept a brief “terms of service” type of agreement that spells out expectations for appropriate use of devices and services and consequences for misuse. This excellent fact sheet from the Privacy Rights Clearinghouse discusses these legal issues in greater detail.
The other requirements healthcare organizations are allowed to impose on employees differ from one locale to the next, as employee protections and legal limits are likely to be in place. The Privacy Rights Clearinghouse post also points to several good resources in this regard.
In a time where text or instant messaging and cloud services are every bit as commonly used as the mobile devices they’re often used with, it is important to make it clear to employees that it is not acceptable to circumvent security protocols when storing or transmitting patient data. Employers may choose to provide approved, secured messaging and cloud services to make conformance easier for employees.
Mitigating the risk of lost or stolen devices
It is important to understand that there is no such thing as perfect security, in any aspect. The best thing to hope for is to decrease risk and mitigate damage if a security incident does occur. Part of being successful at risk mitigation is to decrease the value of any one piece of the security puzzle, should it be stolen. For instance, if an employee’s username and password are phished, they are of limited use if another factor of authentication is required to log into the user’s accounts.
The primary aspects healthcare organizations must consider when a device is lost or stolen are what data the device contained and what access the device has to company resources. The two most obvious solutions to both are to require a passcode to access the device and to wipe the device as soon as it is reported stolen. Many businesses choose to implement a policy that requires IT have access to the device so that these steps can be implemented. Neither a passcode nor remote wiping is perfect protection. A thief may breach a device by guessing or circumventing the passcode lock, and data might be removed before it is reported missing, but these steps can decrease the risk somewhat.
One way to limit the value of stolen data is to encrypt as much as possible, both in transit and in storage, remotely and on the device itself. If a thief gains access to a device, but the data on it is scrambled, the data loses any value to an attacker. Keep in mind that if the thieves get both the device and the user’s login credentials, they may still be able to view the data in its unencrypted form.
Other methods for securing connections
There are many things healthcare organizations can do to increase security within their own networks so that they are safer for remote access as well as local. These considerations also fall into the areas of protecting sensitive data and limiting unauthorized access.
One important way to protect data that does not need to be viewed by more than one person, such as passwords, is to salt and hash the data. When this is done, the password itself is not stored; it is simply matched against a representation of the data, which is created by running it through an algorithm. Since the password is not stored, it cannot be stolen, and it decreases the possibility of its being reverse-engineered. While this does mean forgotten passwords cannot be retrieved, it is safer to simply reset the password and require the user to change it upon next login. This Crack Station post goes into the intricacies of effective salting and hashing.
While salting and hashing can decrease the damage of attackers accessing a password database, it does not prevent users from simply giving away their passwords, intentionally or accidentally. Scanning email for potential phishing links will limit some kinds of attacks, but it does not prevent other kinds of social engineering or brute force attacks. In these cases, there are other things you can do.
Limiting the number of incorrect login attempts can help against brute force attacks, and ongoing security training may help decrease the effectiveness of social engineering. Another factor for limiting damage in the event of lost passwords is to restrict users’ access to only what they absolutely need in order to perform their regular tasks. This way, if attackers get into a network via the stolen credentials, they will be less able to move throughout the network to get other valuable data. Likewise, requiring users to log in to resources periodically – rather than logging them in indefinitely – can limit the amount of damage that an attacker can do.
There are also many good ways to increase security with software. Requiring staff to use a virtual private network (VPN) to access network resources remotely can greatly decrease the risk of eavesdropping attacks, especially if employees use public Wi-Fi to access work resources. Depending on the operating system of the user’s device, it may also be advantageous to provide employees with mobile anti-malware products that scan for malicious links and files.
BYOD can be a benefit
While these steps to secure access via mobile devices may appear to be costly and complicated, it may be worth the effort in terms of the increase in staff productivity and responsiveness. Staff and patients may view the access of mobile devices as a benefit that may improve care outcomes due to improved patient engagement.