Guest post by Cortney Thompson, CTO, Green House Data.
As more healthcare providers modernize their IT with cloud solutions and mobile devices, the opportunity for breaches increases dramatically. Hardly a week goes by without a major hospital or practice announcing a data breach. Breach reporting is costly, time-consuming and harmful to the reputation of otherwise legitimate practices. But is it really unsecured data, hackers or doctors sharing information that is causing breaches?
A quick analysis of the public data released by the Department of Health and Human Resources (HHS) reveals that from the first reported breaches in 2009 through early 2013, there were 572 breaches involving 500 or more patients (the threshold for reporting). Of these breaches, only about 10 percent came from hacking/IT incidents or improper disposal, while over half—51 percent—were a result of theft.
When you combine these details with the location of the breach, the picture becomes even more clear: 44 percent of the breaches are from laptops, 13.5 percent are from a computer, 13.1 percent are from portable devices and 10.5 percent are from network servers. That means a whopping 81 percent of breaches are from computing devices, and 57 percent are from mobile devices alone.
The security priority is apparent. Mobile devices cause the majority of PHI breaches and must be secured. While they aren’t foolproof and breaches can still occur, there are a variety of methods to control access to data on laptops, tablets, and smart phones on today’s market, as well as ways to wipe the device and track it.
As lawyers Edward Shay and Patricia Markus note in a paper on coping with breaches, “the loss or theft of PHI that has been secured does not constitute a breach.” What we need then is strong encryption as a prerequisite to accessing any ePHI. If a laptop or tablet gets stolen but is encrypted, the data isn’t accessible without the encryption key and it isn’t a reportable breach (meaning there also aren’t breach fines, which can add up to thousands or millions).
In one recent and unfortunate example, Cedars-Sinai Medical Center in California had a laptop stolen from the home of an employee. The laptop operating system had recently been updated and the encryption software was not reinstalled, according to the LA Times report. Even though the hospital removed network access from the laptop as soon as it learned of the theft, the data could have been accessed and a breach report was necessary.
Encryption can be set up using Virtual Private Networks (VPN), as well as at the file level. On a VPN, when connected to the provider’s network, outsiders can monitor network traffic flow but cannot parse it without the encryption key, while file level encryption secures individual files.
Encryption zones can also be deployed on the network to ensure all traffic is secured using Windows Server or other tools.
One area we caution our health clients to watch out for is the storage and use of encryption keys. They often store the keys in the same location as the data itself. Applications might store keys in memory while they’re in use, too. Encryption keys should be kept on a separate server or storage block. A backup of all your keys should also be kept in an offsite location in case of disaster. This backup should be audited every couple of months.
Encryption keys also need to be refreshed regularly. This is often forced on companies as the key itself is set to expire automatically, but other keys need a refresh schedule. Consider encrypting the keys themselves (though this leads to a vicious circle of encryption on top of encryption). Finally, give master and recovery keys multi-factor authentication.
Networking Tools for Cloud or On-premise Data Centers
There are methods to stop computers without updated software from accessing the network. In the Cedars-Sinai case, these could have kept the computer from accessing sensitive documents (assuming there was no local PHI data that was unencrypted).
This is generally referred to as Network Access Control (NAC). The connecting computer cannot access anything on the network without compliance with business policies like anti-virus, critical updates and patches, or encryption. They generally require a locally installed software agent, but there are remote scanning options as well. If a user tries to connect without an updated system or software, they may be directed to a quarantine network or captive portal, where they receive instructions on how to update their device or else simply have limited access.
NAC can be set up in an on-premise data center or with cloud solutions. Other networking tools available include port and traffic monitoring and file system logs, both of which can automatically alert system administrators when malicious activity or unauthorized access occurs. These systems are generally built into hypervisor administration tools and include control over SMTP, HTTP/S, and FTP traffic.
Mobile Device Management
When dealing specifically with tablets and smartphones, mobile device management (MDM) software is useful for the same purposes as NAC and encryption, but with additional features that enable Bring Your Own Device and more control over the user’s phone or tablet. Almost any modern mobile device can have MDM installed and most software includes support for Android, iOS, Windows Phone, Blackberry, MacOS, and Windows.
MDM enables role- and policy-based restrictions for mobile devices in addition to central management of encryption, antivirus tools, application distribution and blacklists, password protection, e-mail settings, and compliance. It sounds powerful, and it is. If users are out of date, they can be quarantined or blacklisted. If a device is stolen, it can be wiped remotely or shut out. With the proper MDM setup, theft of a device simply means a few clicks and no data breach.
There are many MDM vendors on the market like AirWatch (recently acquired by VMware) and Sophos Mobile Control. Pricing and compatibility will play into your choices here. Your choice should include certificate-based authentication, policy enforcement (passwords, device lock, remote wipe), encryption, and containerization.
Virtual Desktop Infrastructure or Desktop as a Service
Virtual desktop infrastructure (VDI) or Desktop as a Service (DaaS, which is VDI that is administered by a service provider) could be the best solution for all of the above. The user device can easily be completely severed from all health provider networks and assets, removing the threat of data breach entirely.
With VDI, each user is assigned a virtual desktop or launches one from an available pool upon logging in. These virtual desktops behave the same as a regular system but they are stored on a server in a data center. All compute processes, storage, and applications take place on the server. The device is essentially just a monitor and keyboard.
If a device is stolen with VDI as the primary method of access to health provider systems and PHI, the thief has no method of accessing sensitive patient data. The device can then be locked out of the network entirely; or the user credentials changed.
In the end, hospitals and healthcare providers must balance the price of their IT systems with the potential risk, cost, and reputation impact of a mobile device breach. VDI systems can be pricey, but they also enable convenience and productivity in addition to security. MDM software might require additional training or admins, but the peace of mind is probably worth it. A combination of company policy, employee training, and vigilance is also required, but network monitoring won’t cut it when a device is stolen. With theft remaining the major cause of data breaches, you need a method of controlling and wiping mobile devices to avoid the dreaded data breach.