1 Six Steps Healthcare Organizations Can Take to Secure PHI on Mobile Devices As an IT professional for a covered entity in the heavily regulated health care field, you no doubt worked hard building a secure computing environment with physical, technical and administrative safeguards both to protect patients health information and to maintain HIPAA compliance. Yet many information security strategies are primarily focused on the environment behind the firewall the established perimeter in an organization s defense strategy. But now you re faced with a changing IT infrastructure that includes mobile devices that may have infrequent connectivity to your server environment. How can you secure all of the laptops, tablets and smart phones that employees often use for work (at your facilities as well as offsite) because they re so convenient, and essential for productivity? When protected health information (PHI) is exchanged using any mobile device even a nurse s personal smart phone or a doctor s laptop at home it could trigger a HIPAA Security event. Today IT professionals are being challenged to protect the data on all of those personal endpoint devices that employees use every day but aren t under your organization s direct control. Is there a solution for adding HIPAA-compliant security to those devices, and to do so in a simple, nonintrusive way? This whitepaper provides six practical steps healthcare organizations can take to secure sensitive data on remote devices, and examines an application available today that offers a transparent solution for healthcare professionals. On January 2, 2013, the Department of Health and Human Services (HHS) announced the agency s first HIPAA settlement for a security breach involving fewer than 500 patients 1.The HHS case against the Hospice of North Idaho (HONI) grabbed headlines because it represented the smallest HIPAA settlement yet in terms of number of patients affected. But perhaps even more significant was just how the breach occurred: HONI reported to HHS that an unencrypted laptop, containing 441 of its ephi records, was stolen. Further investigation by the Office of Civil Rights (OCR) revealed that HONI had not implemented policies or procedures to address mobile device security, as required by the HIPAA Security Rule. 1. HHS News Release, January 2013: HHS announces first HIPAA breach settlement involving less than 500 patients (http://www.hhs.gov/news/press/2013pres/01/ a.html).
2 Is Your Organization HIPAA Compliant Regarding Employee Endpoint Devices? 40% Although systematic security threats to healthcare organizations networks often receive more attention, the majority of HIPAA violations are in fact the result of unsecured data on lost and stolen mobile devices. According to a Physicians Practice article, in less than a two-year period (September 2009 through May 2011), OCR reported 116 data breaches of 500+ records, attributable to either the loss or theft of a mobile device. Those breaches represented exposed records of nearly 2,000,000 patients 2. A 2012 HHS analysis found that almost 40 percent of large HIPAA rule violations involved lost or stolen mobile devices. How did so much ephi data find its way onto mobile devices even clinicians personal mobile devices? For many professionals, personal smart phones, tablets and laptops are more familiar and convenient than company-issued devices. Doctors, nurses and other healthcare professionals extremely busy and often on the go likely find it faster and easier to communicate with colleagues and patients over their personal devices. As a Health Research Institute survey of 2,041 physicians found, 81 percent use their personal iphones, Androids and other mobile devices to access patient records and other ephi 3. Any of those exchanges could represent a potential HIPAA violation. Employees are most likely bringing multiple personal mobile devices into your facilities every day and these devices are probably not connected to the corporate network, leaving your IT group unable to properly secure them. The good news is that the proliferation of personal mobile devices and the risks they pose to patient data and regulatory compliance have led to the development of data-security solutions specifically for devices that connect through WANs and non-vpn networks. Covered entities need to prepare for the unique security risks inherent in using mobile devices to exchange ephi. Here are some practical suggestions to help your organization protect ephi on personal endpoint devices. 2. American Bar Association s Health esource, October 2011: Healthcare Providers May Violate HIPAA by Using Mobile Devices to Communicate with Patients (http://www.americanbar.org/ newsletter/publications/aba_health_esource_home/aba_health_law_esource_1110_barrett.html). 3. Health Research Institute, PWC, October 2011: Old data learns new tricks: Managing patient privacy and security on a new data-sharing playground (http://pwchealth.com/cgi-local/hregister.cgi?link=reg/old-data-learns-new-tricks.pdf).
3 Six steps healthcare organizations can take today to ensure employee usage of endpoint devices complies with HIPAA, HITECH and the Omnibus Final Ruling: 1. Create a dynamic inventory of mobile devices 2. Distribute and enforce password and encryption policies 3. Adopt a tracking/deactivation/remote swipe system 4. Implement a DLP program 5. Maintain separation of personal & professional data on BYODs 6. Balance employee productivity with IT Control 1 Create a dynamic inventory of mobile devices Many hospitals don t maintain an accurate inventory of computing devices either their own machines or their staff s personal devices. Managing and protecting access to a large organization s corporate network is difficult even under the best circumstances. But without a plan to maintain an up-to-date device inventory, backing up and securing data is impossible. An IDC Healthcare Insights Study, The Second Wave of Clinical Mobility, found that clinicians use 6.4 different mobile devices on an average day 4. Considering this in light of the statistic mentioned earlier, that 81 percent of doctors use their personal mobile devices to exchange ephi, you can see how much of your organizations PHI and other sensitive data is regularly outside of your network s control, and likely unsecured or under-secured. It is smart practice, then, to catalog all computing devices that access your organization s network, both onsite and offsite, as well as all employee endpoint devices that they use to access your network or to exhange ephi. 4. IDC Health Insights, November 2011: The Second Wave of Clinical Mobility: Strategic Solution Investments for Mobile Point of Care (https://idc-community.com/health/healthcare-transformation/the-second-wave-of-clinical-mobility-strategic-sol).
4 It is also important to keep in mind that this list must be dynamic: employees come and go; new devices are added and removed. Endpoint protection solutions can be effective in keeping the mobile device inventory automatically updated. For example, an employee registers their account, and from a web interface simply clicks a button to add a new device to the existing set & download the appropriate application for device governance. As part of a defined process, all devices associated with an outgoing employee can be deactivated. The starting point for a security strategy recognizes the scope of the security field; today, that perimeter for IT extends outside the firewall to all endpoint devices. Then, with the right cloud-based endpoint protection solution (discussed later in this paper), you will be able to easily and continually secure PHI data on those devices, wherever they go. 2 Distribute and enforce password and encryption policies Password protection on a mobile device is a good idea, but it represents the absolute minimum level of protection, far less than you should demand from staff using their mobile devices to access your network or exchange ephi. Like locking your car s doors, passwords might slow a thief down but it will not stop him. Encryption represents a much higher level of security. Staying with our car-theft example, encryption can act as an engine-disablement function, killing the engine upon unauthorized entry. Without the dual decryption keys, the data on a device is inaccessible to anyone attempting to steal it. And this is often where ephi contained on a mobile device is most vulnerable. The sixth annual HIMSS Health Security Survey found that only just over half (57 percent) of healthcare organizations IT departments have practices in place for encrypting their staff s mobile devices 5. Another reason for encryption of mobile-device data: it puts your organization under HIPAA s Safe Harbor for ephi. That is, if you can prove that you were encrypting PHI data on a lost or stolen mobile device, you do not need to report the incident to HHS. Indeed, in the HHS analysis referred to earlier, regarding the conclusion that almost 40 percent of large-scale HIPAA violations involved lost or stolen devices, HHS itself said, Had these devices been encrypted, their data would have been secured. Again, the right cloud-based endpoint protection solution can provide the documented proof of encryption. 5. Sixth Annual HIMSS Security Survey, February 2014: (http://himss.files.cms-plus.com/2013_himss_security_survey.pdf ).
5 3 Adopt a tracking/deactivation/remote wipe system Another level of security necessary for protecting ephi on a mobile device is anytime remote access to the device to know where it is, and to be able to remove data remotely if it has been compromised. This can be particularly important when a staff member s employment ends but still has ephi data on their personal devices. For tracking, any endpoint device (personal or company-issued) that can exchange your organization s ephi should be equipped with a GPS or similar tracking and locating mechanism, by which your IT team can locate the device with precision. Another desirable endpoint-device feature for your organizations security and HIPAA compliance is the ability to remotely wipe a device of critical data (such as ephi) either at a specific time by your administrators, or according to a time-based schedule, such as if the device hasn t synced with your network or your cloud-based endpoint-protection solution for a specified period of time. In addition to the extra PHI security such features offer your organization, implementing geo-location and remote-wipe functionality for all of your endpoint devices also helps bolster your organization s HIPAA compliance relaxing your HITECH breach-reporting obligations, for example. 4 Implement a Data Loss Prevention program A Data Loss Prevention (DLP) solution is an essential component of a covered entity s compliance with HIPAA s Security Rule, HITECH and related rules. For full compliance any DLP solution your organization implements will need to include at least the following two elements: Visibility into ephi content across several scenarios and devices Your DLP program will need to provide your IT and security teams visibility into the exchange of patient records and other PHI data across , mobile devices (personal and company-issued), peripheral storage and enterprise storage systems. Administrator control over ephi through the enforcement of encryption What is essential here for fully compliant ephi data management is that your organization has encryption procedures for patient data both in transit (sent by , text, fax) and in storage (on in-house servers, employee devices, or in cloud-based storage and online backup systems). In addition to codifying a series of processes to protect sensitive patient (and business) data, implementing the right DLP program also significantly improves your position with regard to the HIPAA Security Rule and HITECH by enabling you to detect breaches as they occur.
6 5 Maintain separation between personal and professional data on personal devices To the extent possible, it is smart practice to encourage your staff using their personal mobile devices for official business to create as many boundaries within those devices between personal and work-related data. For example, if your doctors and nurses use one program on their smart phone or tablet for personal s and a different program for work-related s, that minimizes the chances a clinician might leave a device in public view (such as on a restaurant table) with their personal open when an ephi-related message comes in where a third party might see it. The same process applies with text messaging apps, contact lists and even folders for storing files encourage your staff to maintain personal and work versions of both. Additionally, such policies will serve as ongoing reminders for your employees that the about a surgery appointment update, photo of a new patient s injury or other medical information are indeed ephi records and are indeed subject to HIPAA. This will encourage your employees to treat ephi data they exchange over their personal devices with greater care. 6 Balance employee productivity with IT control It s important when investigating new IT procedures that you keep in mind your organization s primary missions to operate successfully while providing outstanding care. Any new data-protection policies or solutions that you implement need to strike the right balance between allowing your team to better secure patient data, and allowing your staff the freedom and flexibility to perform at optimal levels. Here are a couple best practices to achieve that balance: Make sure your ephi security measures don t stifle your staff, or force them to look for work arounds to avoid them. As you plan to implement an endpoint-protection solution, make sure that installing, tracking and maintaining the solution on your employees devices doesn t get in their way. Such a solution should be easy to install, requiring little or no effort from your employees, and should continue to operate transparently in the background, continually protecting and securing their ephi data without needing any active participation from them. Establish compliance and productivity goals. An endpoint-protection solution or any other security tools that you implement will obviously need, at a minimum, to bring your organization into compliance with HIPAA s rules regarding PHI security. But why settle for the minimum? You should insist that your new solution also aid your clinicians in performing their jobs. The right solution will offer such productivity enhancements. As an example, mobile device security can also offer secure file sharing. An ER nurse could send a scanned result with a Doctor on Call who is on his way to the hospital. Instead of sending the image file as an attachment with both nurse and doctor using devices registered on the mobile device solution the nurse could send a link with a 24 hour expiration period to the doctor s device to securely share the information.
7 How KeepItSafe Mobile Can Help With ephi Security, Data Loss Prevention, HIPAA Compliance and Enhanced Employee Productivity KeepItSafe Mobile is an automated, enterprise-class endpoint-protection solution offered as Software as a Service (SaaS). The solution offers secure, rapid data backups and restores to and from a virtual private cloud. The service provides high availability and enterprise-scale recovery point objectives. The service s enterpriseclass security is compliant with international standards such as ISO How it works With KeepItSafe Mobile as your organization s endpoint-protection solution, you simply send an to your employees, with a URL to a downloadable KeepItSafe app, asking them to install the app on their endpoint devices. Once employees install the app onto their devices, they re done the lightweight, nonintrusive KeepItSafe Mobile client begins automatically backing up the device s ephi data, implementing its DLP program, enabling the user to securely access their shared and backed-up data and to select preferences such as folder selection, as well as allowing your IT team to track the device s physical location in case of loss or theft. Meantime, KeepItSafe Mobile is continually backing up your organization s PHI data, encrypting and securing it at multiple physical data-storage locations for redundancy. The upshot is significant: KeepItSafe Mobile reduces the total economic impact to your enterprise from a lost or stolen endpoint, and brings your ephi data management into HIPAA compliance.
8 KeepItSafe Mobile s features Data Encryption With KeepItSafe Mobile critical files and folders on laptops and mobile devices can be selected for data encryption to ensure that they are protected with the highest standards. KeepItSafe Mobile uses the endpoint operating system s built-in encryption tools (e.g., Windows Encrypting File System). Selective encryption of files or folders avoids the need for a heavy, full-disk encryption. Any file on the endpoint device selected for backup is automatically encrypted. This approach is superior to alternatives that require a substantive full-disk encryption or placing all files on a single location, either of which is sub-optimal. Encryption and decryption are automated, with no need for any additional user steps. Users logging into their endpoint device automatically have decrypted access to their files. Securing data in transit Designed from the ground up, with the understanding that endpoints often connect over WANs and VPN-less networks, KeepItSafe Mobile encrypts data in transit with 256-bit SSL encryption ensuring enterprise-grade security even over unsecure networks. Securing data at rest In addition to strict authentication and access control, KeepItSafe Mobile secures stored data with 256-bit AES encryption. Remote wipe To prevent data breach on lost or stolen devices, KeepItSafe Mobile provides remote wipe capabilities that can be applied either by an administrator or an auto-delete policy. KeepItSafe Mobile DLP s data delete operation wipes out all the encrypted data from lost or stolen endpoints, meeting NSA security standards using two methods: 1. Remote decommission, which allows an admin to remotely wipe out data from lost or stolen devices. Once activated through the web-based management console, a decommission process executes as soon as the device comes online and wipes out all encrypted data. Data is deleted from the device but not from the enterprise. The data is stored on the KeepItSafe Managed Private Cloud and is available for restore through the KeepItSafe Mobile console. 2. Auto decommission, which allows an admin to configure a time-based auto delete, so an enabled device can self-destruct critical data if the device has not connected with the KeepItSafe Mobile DLP s server for a specified number of days. If needed, auto decommission can be disabled. Just like the remote decommission option, all deleted files would be available for restore through KeepItSafe Mobile.
9 Time-based alerts The KeepItSafe Mobile DLP also provides time-based alerts, which notify IT when a device has not synced with the server for a preset number of hours/days. IT can then categorize the device to On Alert status. Depending on how the alerts are configured, a decommission activity can be initiated. In addition, there is an option when users go on vacation or want to suspend activities for a while to put a specific device On Hold and prevent auto-decommission of that device. Geo-location tracking KeepItSafe Mobile provides the ability to track the location of devices with an accuracy of 10 to 20 meters at any point in time providing details such street, city or state. An embedded software engine uses advanced hybrid positioning algorithms based on data from Wi-Fi access points, GPS satellites, and cell towers to keep track of all your endpoints. A familiar Google Maps interface provides a quick view of the coordinates for every endpoint device available on the KeepItSafe Mobile management console. Based on this information, companies can trace a stolen or lost device and/or, initiate a data wipe using remote decommission. Conclusion So much critical ephi data in your organization today resides (sometimes exclusively) on laptops, tablets and mobile phones often clinicians personal devices. Roughly 81 percent of physicians, for example, use their personal smart phones to exchange ephi data; and HHS has found that up to 40 percent of HIPAA violations result from PHI data on lost or stolen mobile devices. Given how difficult it is for an IT group to maintain control over so much PHI data spread across so many unsecured mobile devices, and given the high data-breach costs and compliance penalties associated with an unprotected lost or stolen endpoint device, healthcare organizations like yours need to be smart about identifying the right data loss prevention solution. An ideal choice is a unified solution such as KeepItSafe Mobile that delivers the benefits of both secure backup and DLP (encryption, device tracking and remote deletion). Such a solution will significantly cut down on management complexity, while not getting in the way of either your IT team or your employees. Implementing the lightweight, transparent and nonintrusive KeepItSafe Mobile solution, therefore, is smart business all around. For more information, contact KeepItSafe at KeepItSafe. KeepItSafe is a registered trademark of j2 Global, Inc.