The Need for Advanced Mobile Device Management and Full Disk Encryption in Healthcare A MainNerve Whitepaper
Overview The data security challenges in the healthcare industry have never been as challenging as they are today. Not only must healthcare providers comply with HIPAA and HITECH regulations concerning patient privacy and electronic data security, they must also guard against identity theft as well as more complex scenarios of insurance data theft, medical identity theft and the adulteration of health records. In addition, the latest information technology from smartphones and tablets, easily portable laptops, CDs, and USB "flash" drives (also called memory sticks) to e-mail, the internet, and shared networks while streamlining work for healthcare practitioners and administrators, and helping with the free flow of information so vital to quality patient care, is also opening new avenues of risk for security breaches. At the global level, a maze of differing regulations and varying levels of IT infrastructure across countries create additional challenges for data security and patient privacy as well as in cross-border transactions. Fortunately there are solid and proven technologies that any healthcare organization can implement to secure their data, helping them comply with HIPAA/HITECH and dealing with the other security issues they face. Paramount among these are Mobile Device Management and Disk Encryption. Mobile Device Management (MDM): BYOD at work. The benefits are tremendous and proven. So are the risks. MDM extends controls to employees' devices so that they remain productive and secure: turn on built-in encryption, remotely wipe data, and impart powerful security measures like mobile antivirus and more. Fortunately there are solid and proven technologies that any healthcare organization can implement to secure their data, helping them comply with HIPAA/HITECH and dealing with the other security issues they face. Disk Encryption: Very simply put, encryption is a way of "scrambling" the information on a disk so that only authorized users can "unscramble" it. Even if an encrypted computer or drive were stolen, the information on it would not be accessible, appearing merely as "gibberish". You can encrypt the data on a file, a particular drive (for example, a portable memory stick), or the full disk (called Full Disk Encryption). Most importantly, Disk Encryption is generally considered to meet HIPAA and HITECH requirements for data protection. Simple enough for a local doctor's office to implement, yet robust 2
enough to meet the demands of a major healthcare center, Mobile Device Management and Disk Encryption, taken together, form the basis of a solid security framework that addresses many of the most pressing concerns in healthcare today. The Unique Security Challenges in Healthcare Complying with HIPAA Since the passage of the Health Insurance Portability and Accountability Act (HIPAA) in 1996 - intended to deal systematically with the privacy of patients' medical and personal information - healthcare organizations from local physician's offices to world-class hospitals have been making major changes, both administratively and technologically, to ensure compliance. In addition to HIPAA's major focus on the privacy of all patient information, the Administration Simplification (AS) provisions in Title II of HIPAA go even further with regard to electronic data, establishing national standards for the exchange of electronic data that seek to increase efficiency and accuracy as well as to ensure the security and privacy of the electronic data. Both the privacy regulations and the security rules have substantial compliance ramifications for providers. But the HIPAA regulations, while explaining overall requirements and recommendations, do not detail exactly how a healthcare organization should comply. That leaves each healthcare organization to devise an approach and implement those technological solutions that it feels will most effectively help it comply fully with HIPAA's privacy and electronic data security requirements. And because fines for violating HIPAA regulations can be stringent - and the intangible costs of negative public relations, especially for hospitals, medical centers and insurers can be staggering - complying with HIPAA is a major concern for healthcare organizations of any size. Although the deadlines for HIPAA compliance have past, many organizations from small practices to major health centers are still planning their compliance strategies. Consider the following handful of actual cases involving lost or stolen computers, laptops, drives and memory sticks: In an ironic twist, computers with 60,000 patient records were stolen from the San Jose Medical Group - just weeks before the deadline for HIPAA compliance. 1 In an embarrassing incident in 2008, the National Institute of Health (NIH) reported the theft of a laptop with 3
confidential records of 3,000 patients including those of Representative Joe Barton of Texas, a founder of the Congressional Privacy Caucus with congressional responsibility for the NIH. 2 In the first six months of 2008 alone, there have been reported incidents of stolen laptops, computers and drives with unencrypted data affecting thousands of patients, among them Health Net (5,000 records), Fallon Community Health Plan (30,000 records), Memorial Hospital of South Bend Indiana (4,300 records), Lifeblood (321,000 records), Blue Cross and Blue Shield of Western New York (40,000 records), National Institute of Health (4,359 records), Presbyterian Intercommunity Hospital of Whittier California (5,000 records), and HealthSpring, Inc. (9,000 records). 3 If Full Disk Encryption or even Drive Encryption or proper Password Protection had been in place on the stolen equipment, the ramifications of these incidents would have been drastically reduced. Demanding as it is, complying with HIPAA and HITECH is not the only challenge the healthcare sector faces when meeting its data privacy and security needs. HITECH: Data Breach Notification Rule The HITECH Act, passed in 2009, promotes the adoption and meaningful use of health information technology, and addresses privacy and security concerns by strengthening the civil and criminal enforcement of HIPAA. It includes but is not limited to 4 : An increase of penalties to a maximum of $1.5 million. Imposition of penalties even if a covered entity was unaware of a data breach. The introduction of the Breach Notification Rule. The Breach Notification Rule is especially viewed by many HIPAA experts as the chief element that impels encryption and other data security practices in healthcare settings. The current implementation of the notification rule requires covered entities to report any data breaches involving 500 or more patients to the Department of Health and Human Services (HHS) within 60 calendar days of their discovery. Once received, the HHS is enjoined to publicize the breach on its website. Furthermore, people whose PHI was affected must be notified or risk fines and other penalties. Health information protected by encryption, however, is given safe harbor from the rule, ensuring that these lamentable but oft-occurring incidents do not negatively impact organizations. 4
Other Unique Challenges for Data Security and Privacy in Healthcare Demanding as it is, complying with HIPAA and HITECH is not the only challenge the healthcare sector faces when meeting its data privacy and security needs. Other challenges include: Need for Secure Data Sharing: To achieve effective and prompt care, as well as streamline costs and administrative efforts, organizations and practitioners routinely share a patient's health record. In fact, the US Department of Health and Human Services estimates that approximately 150 different persons handle a patient's medical record during a single hospitalization. 5 Already approximately 20% to 25% of hospitals are up and running with electronic records systems, as are nearly 15% to 20% of doctors' offices 6. And that number will probably skyrocket when Congress passes the Health IT Bill, which encourages and sets standards for electronic data sharing. Obviously patient data that is shared so widely and routinely needs a high level of protection that also enables safe sharing such as Drive Encryption, which can protect portable memory sticks, and Password Protection, which can be used to secure files that need to be sent by e-mail or over the internet. Tempting Target for Identity Theft: Medical records have also proven to be an especially tempting target for simple identity theft. Many patient records include name, date of birth, and Social Security Number (often as part of an insurance ID) along with other details that provide all the information that identity thieves seek, conveniently located in one place. Theft of health records for any purpose is still considered a major HIPAA breach. Full Disk Encryption and/or Drive Encryption not only help meet HIPAA compliance but protect against identity theft as well. Portable Technology - Opportunity as well as Risk: Increasingly practitioners and organizations - like most businesses in many sectors - are relying on small and portable technology such as smartphones, tablets, laptops, and USB "flash" drives (also called memory sticks) to make their work easier and more effective. Easy to carry between the office, hospital and home, or on the road to an important seminar or conference, the same features that make these devices so useful to the busy healthcare practitioner or administrator make them prone to loss and theft and, if not protected properly, to HIPAA Easy to carry between the office, hospital and home, or on the road to an important seminar or conference, the same features that make these devices so useful to the busy healthcare practitioner or administrator make them prone to loss and theft. 5
breaches and identity theft. Across all industries, a large percentage of security breaches are directly related to lost or stolen smartdevices, laptops, and USB drives. Once again, it is clear that Drive Encryption is a must for portable computers and storage devices in the healthcare environment. Insurance Identity Theft: Occasionally medical records are mined for insurance identities, which are then stolen and sold so that uninsured individuals in need of serious medical attention can gain access to the healthcare system. The "patient" could ostensibly receive medical care based on the medical information in the stolen records, rather than on the actual medical condition and the result could be a matter of life and death. By preventing access to the information, password protection and drive encryption close this potentially lifethreatening gap as well. Lost, Stolen, or Adulterated Records and Malpractice: Physicians and hospitals must not only protect their patients, they must occasionally also protect themselves in unfortunate cases of malpractice. Lost, stolen or adulterated records (records that can be shown to be changed or compromised in some way during the course of a patient's treatment, even if the records were not lost or stolen) pose a serious malpractice threat. In addition, electronic records which are not disposed of properly (for example, a memory stick which is simply thrown away or erased and reused) can open the door to a security breach. With the costs of malpractice insurance rising, and the risk of enormous awards quite real, protecting electronic data from adulteration is a necessity for every practitioner and organization. Proper encryption and password protection secures your records against adulteration as well as loss or theft. Different nations and regions currently have differing levels of regulations, differing cultures concerning regulation and privacy, and differing levels of development in the underlying healthcare and information technology infrastructure. The Global Scene: A Maze of Differing Situations and Regulations As challenging as data privacy and security compliance requirements in the healthcare arena seem in the US, in other parts of the world, the situation can seen even more daunting. Different nations and regions currently have differing levels of regulations, differing cultures concerning regulation and privacy, and differing levels of development in the underlying healthcare and information technology infrastructure. The following examples provide a glimpse into this global maze. 6
European Union: Despite the existence of major regulations concerning privacy of healthcare record in the European Union (EU), such as the EU Directive on Data Protection 95/46/EC and the EU Directive on Personal Data in Electronic Communications 02/58/EX, each country in the EU has its own implementation of the basic principles of the EU regulations. Data protection regulation in the EU is general, rather than targeted to a specific industry; each member country and industry is responsible for providing "adequate" data protection. Recent EU legislation has been focusing on the need for more stable IT infrastructure as well as improved patient data safety. United Kingdom: Data security and privacy issues in the UK, governed by the Data Protection Act, are undergoing serious re-evaluation, having recently been shaken by several large and serious security breaches. The National Health Service (NHS) at Dumfries and Galloway reported two lost USB flash drives that were not properly encrypted. Other locations reported 67, 32, 24, 21 and 15 cases respectively. An unofficial survey of doctors at a leading London hospital, reported in the Health Services Journal, revealed that 75% of the doctors carried unsecured USB flash drives with confidential data. 7 The loss of personal confidential data has ignited such public outrage in the UK that various patients' groups have launched a campaign to tighten security at the NHS. Many, though not all, of the breaches, involved electronic data that was not sufficiently protected or encrypted. 8 The Pacific Rim: The countries of the Pacific Rim provide a kaleidoscopic snapshot of challenge and opportunity with regard to healthcare and electronic data privacy. In 2005 Japan tightened protection on the handling of personal data which, although not mentioning health records directly, has had a direct impact on electronic data in the healthcare sector. In Australia, which has one of the more advanced security scenarios of the Pacific Rim nations, the large-scale trial of a new system in 2006 using electronic health records (called Health elink) raised serious concerns about the overall privacy issues and risks that are still being debated. And in Singapore, a massive government effort is underway to transform the healthcare delivery system using IT as its base. With its first initiative of implementing electronic medical records well underway, the Singaporian system is now turning serious attention to establishing IT standards and a legislative framework for data protection. 7
Cross-Border Healthcare Transactions: In addition to the challenges faced within the various countries, healthcare records increasingly "cross borders" not only with patients traveling out of their own country for care, but with test samples routinely sent across borders for evaluation and results returned to the countries of origin. Complex "Safe Harbor" agreements, that create basic standards for adequate data protection, exist to help facilitate the necessary transactions, but the burden still rests with the healthcare organization to meet the adequate data protection standards for their own country and any countries they are dealing with. The MainNerve Solution: Mobile Device Management and Full Disk Encryption MainNerve, a leader in web-based secure mobile device management and disk encryption service for enterprises of any size that want highly-scalable, cost-effective, but easy-to-deploy encryption and security software, has solutions for your unique data protection needs. With Mobile Device Management, Disk Encryption, and Password Protection working together, you can comply with HIPAA and HITECH as well as protect your organization from the other very real risks faced in today's healthcare environment. MainNerve's Password Protection MainNerve uses a Password Protection technology called "preboot authentication" sometimes also called "power-on authentication." This means a user must enter their username and password the very moment their computer or laptop is turned on before Windows (or any other operating system on the computer) is even loaded. If the wrong password is entered, the computer locks up and cannot be used. Authentication that takes place after the computer has started and Windows or the other operating system has loaded is vulnerable to hacking. This is because a hacker could use the operating system itself to get around the password protection. Pre-boot authentication is safer because it operates at a lower level than the operating system itself hackers can no longer bypass the operating system to gain access to the computer. 8
By providing protection at the pre-boot level, pre-boot authentication serves as the foundation of Disk Encryption - without the password, you cannot access the computer at all. MainNerve's Disk Encryption Solutions MainNerve provides Disk Encryption of the highest order, industry-leading encryption with the pre-boot authentication for laptops described above. Furthermore, BYOD devices like smartphones and tablets can also be secured via its easy-to-use mobile device management (MDM) suite. Disk Encryption Software MainNerve's Disk Encryption Software enables Full Disk Encryption that is, software you can use to encrypt an entire drive, using 256 bit encryption. For example, you could encrypt the hard drive on a computer, on a CD or a memory stick. This type of Full Disk Encryption offers some unique benefits that might not be immediately apparent. Once Full Disk Encryption is in place, the drive cannot be "slaved" into another PC. Slaving a drive is a way of adding the drive as a secondary or subordinate drive on a separate computer and thereby gaining access to the information on the slave drive. With Full Disk Encryption in place it becomes impossible to use the encrypted drive as a slave drive. Full Disk Encryption is so powerful that it is considered the method of choice to "erase" information on an unused or outdated drive. Because the encrypted information is inaccessible, it is safer to encrypt the undesired drive than to try to destroy or dispose of it. With Full Disk Encryption, your data is effectively protected against theft even if your laptop or computer is stolen, only the hardware is lost. The health records and personal patient data on the stolen device are safe and secure and you and your organization are protected from the cost and headaches of dealing with a major security breach. MainNerve's cloud-based solution enables finance companies to deploy, secure, and manage over one million devices from a central console within minutes. "Device agnostic" support for better frontline efficiency and protection from platform over-dependency, keeping information safe and secure. Mobile Device Management, Encryption, and Security Often termed BYOD, consumerization of IT, or CYOD (Choose Your Own Device), healthcare organizations are increasingly adopting mobile devices like smartphones and tablets to create dynamic, mobile workforces. These devices promise and deliver real productivity gains that healthcare organizations cannot afford 9
to ignore. Yet, incursions into the mobile workplace have shown that security concerns are very real. Regaining control and enabling PHI security, then, is of paramount importance; however, it requires facing challenges that are not a healthcare organization's core competency. There are logistical, technological, and even budgetary challenges that are foreign to those making the foray into a secure mobile workspace. Gaining the required experience is, for most companies, beyond the scope of their objectives and considered an improper use of resources. Regaining control and leveraging the mobile computing trend need not be an insurmountable challenge, however. MainNerve empowers healthcare IT with control over Apple, Android, BlackBerry, and Windows devices without crippling the bottom line or making security compromises. MainNerve's cloud-based solution enables healthcare organizations to deploy, secure, and manage over one million devices from a central console within minutes. "Device agnostic" support for better frontline efficiency and protection from platform over-dependency, keeping information safe and secure for patients and hospitals or doctors alike. IT can also expect the easiest to use, most powerful management console on the market today that delivers a complete security and compliance overview because MainNerve provides visibility as to who has sensitive data and the ability to lock down that data, at any given moment, when it may be compromised or lost. Conclusion Mobile Device Management and Disk Encryption, such as those offered by MainNerve, enable healthcare organizations to meet HIPAA and HITECH requirements as well as confront other risks faced in today's IT environment, at the same time encouraging the free flow of patient information, improving patient care and reducing costs while protecting patient privacy and ensuring data security.
References 1 "Computers with Patient Data Stolen on Eve of HIPAA Compliance Rules," Information Week, April 13, 2005. 2 "NIH Security Breach Includes Data on US Rep," FierceHealth IT Weekly New for Health IT Leaders, April 7, 2008; http://www.fiercehealthit.com/story/nih-security-breach-includes-data-on-u.s.-rep/2008-04- 7 3 http://www.privacyrights.org/ar/chrondatabreaches.htm 4 http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/hitechenforcementifr.html 5 "At risk of exposure: In the push for electronic medical records, concern is growing about how well privacy can be safeguarded," Los Angeles Times, June 26, 2006; http://articles.latimes.com/2006/jun/26/health/he-privacy26 6 Bill Seeks National Medical Records System, Los Angeles Times, August 13, 2006; http://articles.latimes.com/2006/aug/13/nation/na-privacy13 7 "Medics put patient data at risk," BBC News, September 4, 2008 and "Doctors memory sticks threaten data security," Health Service Journal, September 4, 2008. 8 "NHS hit by new data losses," Scotland on Sunday, August 24, 2008.