Mobile Device Security Presented by Kelly Wilson Manager of Information Security, LCF Research New Mexico Health Information Collaborative (NMHIC) and the New Mexico Health Information Technology Regional Extension Center (NM HITREC) Albuquerque, New Mexico Live webinar conducted Wednesday, April 17, 2013 2309 Renard Place SE, Suite 210 Albuquerque, New Mexico 87106
MOBILE DEVICE SECURITY Purpose: You will review the many ways we manage patient information, receive an overview of the newer devices being added to the mix, discuss the ways we should be safeguarding patient information on mobile devices (physical, technical, and administrative controls), and be made aware of the risks of not taking security of these devices seriously. Kelly Wilson Mr. Wilson is the Manager for Information Security for LCF Research. He has 20 years experience in information technology including 15 years in healthcare IT. He is the go-to person at LCF for technical HIT security information and solutions for the New Mexico Health Information Collaborative (NMHIC) and the New Mexico Health Information Technology Regional Extension Center (NM HITREC) programs. Prior to joining LCF, Mr. Wilson worked for Presbyterian Healthcare Services for twelve years, as Manager of Information Security for three and a half years and a Systems Engineer for eight and a half years. While serious about security, Mr. Wilson enjoys taking risks as a sky diving instructor and motorcycle enthusiast. Disclosure: Everyone in a position to control the content of this educational presentation has disclosed all relevant financial relationships with any commercial interest to LCF Research, the provider of continuing education credits. LCF is occasionally awarded research and educational grant funding from industry and estimates such funding at less than 25% of overall revenue. None of these presenters have any relevant relationships to disclose. All faculty and planning committee members have attested that: 1) the content they contribute will promote improvements in healthcare and not any specific proprietary business interest of a commercial interest, and that 2) content for this activity will be well balanced, evidence-based, and unbiased. Materials have been reviewed (by a third party where necessary) for validity and bias, and modified where necessary by the course directors and members of the planning committee. Participant feedback about perceived bias towards any commercial entity in the presentation will also be requested. LCF Research is accredited by the New Mexico Medical Society to provide continuing medical education for physicians. LCF Research designates this live activity for a maximum of 1.0 AMA PRA Category 1 Credit TM. Physicians should claim only the credit commensurate with the extent of their participation in the activity. This activity may be acceptable for the Nursing and Physicians Assistant CE credit if applicability to practice can be shown. Nurses and Allied Health Professionals are encouraged to attend. An Evaluation/Statement of Participation form is required to record CME credit and is requested from all participants. Credit certificates will be e-mailed directly to those completing the evaluation/statement of participation form. The New Mexico Health Information Technology Regional Extension Center (NM HITREC) is a collaboration of three organizations LCF Research, HealthInsight New Mexico, and the New Mexico Primary Care Association who are working together to support healthcare providers throughout the state in achieving meaningful use of electronic health records (EHRs) to improve patient care. Credit not available for replay
Mobile Device Security Kelly Wilson Information Security Manager LCF Research / NMHIC NMHITREC Partner Introductions: Why are you here?
Patient Data: The Good ol Days FAX Phone Snail Mail Sneakernet Closed, Proprietary EHR s Patient Data: Today Email Thumb drives, DVD s, removable media Remote Access from home/away from the office Smart phones, tablets, laptops, home PC s Web-based EHR s HIE Health Information Exchanges Mobile devices
Mobile Devices Overview: It s a Box of Radios Smartphones: A handheld computer that also makes phone calls. Tablets: Same as a smartphone but doesn t make phone calls. Bluetooth (wireless audio and/or data). WiFi (Wireless Internet). GPS (Global Positioning System, location to 3 meters). 3G / 4G (phone network data connections). NFC (Near Field Communications - bump, swipe, pay terminals, etc.). Turn off radios that are not in use. Devices Overview: Operating Systems Google / Android Apple / ios Blackberry Windows Mobile
Mobile Devices Overview: Cool Stuff Thousands of apps Always online mobility the Internet in your pocket Easy to use Lots of internal memory: a mobile hard drive Easy to share stuff Stores your email, web and bank accounts and passwords Location based services: maps, directories, retailers Mobile Devices Overview: Not so cool stuff Apps designed to share you and your data with minimal controls. Security problems like a regular computer: Malware, Spam, Key loggers. Difficult to secure, confusing permission options. The bad guys of the Internet want what's in your pocket. Stores your email, web and banking accounts and passwords. Easier to lose, high rate of theft. Unauthorized use. Location tracking.
Mobile Devices Overview: Cameras Built in photo and high-def video. Location info embedded into photos. Barcode readers. QR (Quick Response) Codes: risks. Device Risk Management: Mine vs. Yours BYOD (bring your own device): More difficult to secure Lack of accountability Security left to individuals Lack of standard security configurations Multiple untrusted users (family, friends) Rooting, jailbreaking, unauthorized apps
Mobile Device Risk Management: Company issued/controlled: Documented security policies Authorized applications Authorized users Managed security configurations (Exchange Activesync, Apple MDM) Password strength/quality, auto screen lock, login failure lockouts Device and removable media encryption, anti-malware Security logging Mobile Device Risk Management: (cont.) Administrative Safeguards: 45 CFR Part 160 Subpart C -- 164.306 Security Standards: General rules: Ensure the Confidentiality, Integrity, and Availability of Protected Health Information. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
Mobile Device Risk Management: (cont.) 164.30 Administrative Safeguards: Risk Analysis and Risk Management. Risk Assessment Guidelines NIST 800-30 & NIST 800-39 Policies and Procedures What should a policy cover? What should a procedure cover? End user training Mobile Device Risk Management: (cont.) 164.312 Technical Safeguards: Passwords, Screen locks, Swipe codes Encryption: Data in motion Data at rest VPN: Virtual Private Networks Anti-Virus, Anti-Malware, Phishing protection Loss/Theft: Find Me apps, Remote device wipe
Security and Privacy: Most common threat to data loss = people Why? Too hard or just think it doesn t apply to them Hundreds of thousands of mobile devices are lost or stolen every year. Puts the business at risk Large fines Consumer/Patient confidence Resources: U.S. Computer Emergency Readiness Team (US-CERT) http://www.us-cert.gov National Institute of Standards and Technology (NIST) http://www.nist.gov/information-technologyportal.cfm U.S Department of Health & Human Services http://www.hhs.gov/ocr/privacy/hipaa/administrati ve/enforcementrule/index.html
Mobile Security References: Threatpost: http://threatpost.com Naked Security: http://nakedsecurity.sophos.com McAfee Mobile Security: http://blogs.mcafee.com/tag/mobile-security FCC Smartphone Security Checker: http://www.fcc.gov/smartphone-security Crimecatchers (stats): http://blogs.absolute.com/crimecatchers/mobile-theft-the-facts/ Apple Mobile Device Management: http://www.apple.com/iphone/business/it-center/deploymentmdm.html Mobile Device Security: What s best for you?
Mobile Device Security Tips Learn to read and understand Terms of Service and App permissions. Don t download any uninvited app or respond to any unknown texts or email. Decide on a password no one could possibly guess. Include special characters and at least one number. Write it down in a safe place. Change your passwords every few weeks. Get the best security software you can get for your device and learn how to configure and use it. Mobile Device Security Tips (continued) Don t make purchases on your mobile device on public Wi-Fi and only make financial transactions on secured sites Keep your phone locked when you re out and about, and don t lend it out Keep your apps and device software up to date. If you don t need/use it, delete it Don t let your device record anything you don t want made public
Questions? www.nmhitrec.org (505) 938-9900 This material was prepared by the New Mexico Health Information Technology Regional Extension Center (NM HITREC) as part of its work as the Regional Extension Center for New Mexico, under grant #90RC0028/01 from the Office of the National Coordinator for HIT, U.S. Department of Health and Human Services. NMHITREC-13 4/15/2013 21