Tips for securing healthcare data on mobile devices

While the security landscape has changed drastically across all businesses, maybe nowhere has this been felt more acutely than in the healthcare sector. Today, sensitive patient data can easily be stored on mobile devices with access to internal networks—from laptops and USB Drives, to CD’s, DVD’s and SD Memory cards, and even smartphones. While anywhere, anytime access is convenient to patient care, this free-roaming data accessibility poses a serious risk to data security.

And while employees who use mobile devices have contributed to a weakened security perimeter, the responsibility for protecting patient data rests squarely on the shoulders of healthcare organizations. The reality is that the growing complexity of the security landscape is stretching organizations' ability to protect data to the breaking point.

Simultaneously, the regulatory landscape is growing more complex-even as data breaches and theft are increasing in frequency and scope, and data stored on removable media is contributing to this problem. In the United States, the Department of Health and Human Services (HHS) has reported that a large percentage of breaches reported under HIPAA/HITECH involve portable electronic devices.

Security Challenges

Securing removable media is an ongoing challenge for a number of reasons, including:

A Vast Range of Devices

Employees store sensitive data on an array of mobile devices, including USB drives, other removable media and smartphones. How can healthcare organizations begin to protect all the data on each mobile device? To help reduce this complexity, organizations must seek out a data protection solution that will automatically encrypt data and enforce security policies across all devices, including desktops, notebooks, handhelds, USB flash drives and CD/DVDs.

Shared Systems

Often several employees share access to a single system, and the need for data accessibility may be greater with some users than others. This work model introduces security and management challenges, especially when people are copying information from the system to various forms of removable media. Healthcare institutions must deploy a data security solution that enables users to access and store the PHI they need, while enforcing the data encryption policies that can help protect against unauthorized access and data breaches.

User Resistance

Users of removable media are used to easily transporting-and transferring-data and may be resistant to security restrictions, claiming work and productivity disruptions. Because of this, it is essential that healthcare organizations educate workers about data security and carefully select a non-disruptive solution that encrypts transparently, without disrupting end-user productivity or interfering with patient care.

Management Costs

The cost of securing mobile devices continues to mount as management, end-user support and even adequate auditing and reporting become more challenging. For instance, helping users find lost keys is time-consuming, and securing vast volumes of data stored on ever-larger USB drives can be complex. To keep costs under control, healthcare organizations must be careful to select a solution that is built for ease-of-management and centralized control.

Options for Securing Mobile Devices

Today healthcare organizations have a variety of options for encrypting data on removable media. The right approach to data security depends on the organization, its size and the complexity of data storage and accessibility requirements. Following are some approaches to addressing data security.

Prohibit using any type of removable media device at all. This extreme approach would only be sensible in environments where extremely sensitive data is stored, or systems located in public areas.

Use only self-encrypting devices. This method can be cost-prohibitive, and does not address many management challenges, such as users bringing their own devices.

Secure some data or all data on removable media using specialized software. This method enables the healthcare organization to control and set user-specific policies according to their roles within the organization. Setting policies also delivers the freedom to enforce encryption broadly, or to set more granular policies at the user, device, application or file-type level. In addition, organizations may choose to only allow data to be seen and read on secure systems within the corporate network, or they may choose to enable data accessibility from any location, depending on the user.

Common Challenges in Data Security Management

Following are two common occurrences that should be addressed in any data security strategy.

Users forget their encryption keys. As a result of this common mishap, it is critical that the removable media encryption method include a way to provide forgotten keys. Usually, some type of challenge/response question will suffice to perform security authentication. Enabling key retrieval is a mutually beneficial means of both supporting end user productivity, and helping IT maintain protected access to critical data.

Users lose devices-all the time. Because replacing mobile devices, especially USB flash drives, is generally affordable, users rarely report lost or stolen devices. To ensure sensitive data is protected in the event that a 3^rd party finds it, healthcare organizations should consider enforcing a "cool down" period after the password is entered. This method helps prevent any third party from simply using a brute force attack to obtain private data. An alternate-and more stringent-approach is to actually program the device to destroy its own password after certain a number of attempts. This will render the data unreadable until the device is brought back into the corporate network.

To address these common scenarios, healthcare organizations are well advised to choose a solution that works with routine IT operations such as patch management and application upgrades and ensures that the help desk can provide immediate resolution to end-user problems-including forgotten passwords, lost devices and data recovery.

Choose Data Protection that Supports Patient Care

Securing data stored on removable media has become both a growing challenge and a critical responsibility among healthcare organizations. By implementing well integrated, user-transparent removable media security through centrally managed encryption, organizations can help reduce damaging breaches and enable end users to more confidently access the information that is critical to their greatest priority-providing the highest levels of patient care.