Encryption on the Go, Part 2
Many enterprise IT departments have to deal with an ever-growing number of personal devices on corporate networks. This is risky enough for most business, but the phenomenon is especially sensitive when it comes to healthcare institutions, many of which hold large amounts of highly personal data about patients.
Jun 6, 2012 5:00 AM PT
The growing consumerization of IT is turning into a security nightmare for many IT departments, but it's perhaps hitting the healthcare industry worst.
"BYOD (bring your own device) is an emerging issue in healthcare, as staff bring their latest and greatest devices and ask to use them in their work," Christina Thielst, vice president at Tower Strategies, told TechNewsWorld. Some healthcare organizations allow or even encourage employees and physicians to bring in their own devices because it lets them save on the cost of equipment.
Mobile devices are a critical part of the healthcare system due to their utility.
"Healthcare providers need to be able to move around their environment in the most efficient manner," Armando Orta, senior director of information security and disaster recovery at Anthelio Healthcare Solutions, told TechNewsWorld. "With the use of smartphones and smart pads, they are able to collect information and move around freely in and out of the hospital."
Tablets "add powerful processing power that can be carried around for convenience," Orta said. "The urgency for this information at the right time can be a matter of life or death in the healthcare industry."
However, there are "many concerns" with this practice, as the devices may potentially store patient or other sensitive information, Orta said. "This essentially means that the information becomes mobile."
The Threat From Mobile Devices
Mobile devices are highly susceptible to being lost or stolen. For example, Credant Technologies found that more than 1,700 mobile devices were left behind at 10 baseball parks over a six-month period. The overwhelming majority -- 97 percent -- were smartphones and tablets. More than half the lost devices were reclaimed by the owners, but the rest were recycled or donated to charities if left unclaimed for 10 to 30 days, depending on the venue.
Whether mobile devices are brought in by their owners and hooked up to the healthcare IT network, or purchased by the healthcare institution and handed out to employees, "sensitive information becomes mobile, and there's a higher risk of losing control of who has access to that data," Anthelio's Orta said.
Health organizations should implement various safeguards, including remote management capabilities for configuring mobile devices, changing their passwords, and wiping them clean if they're lost or have been stolen, Tower Strategies' Thielst said. However, "health IT departments are busy places these days, and mobile is competing for attention with [electronic health records], HIE [health information exchange], telemedicine and other important tools. The issue of BYOD just adds one more layer of complexity and demand for time and resources."
Why Healthcare IT Fears Mobility
Even when healthcare institutions have policies calling for file and application encryption and remote wipe capabilities to be available on all mobile devices used at work, "it's challenging to apply requirements to a device when the owner of the device is not the hospital," Orta pointed out.
Further, once a personal device leaves the hospital with its owner, "there is no control over who can access the information that has been stored on the device," Orta said. "Even if the device belongs to the hospital, it's challenging to provide the most efficient controls on the device without suppressing the device resources or dramatically affecting the budget."
While encryption is "a very logical solution" for securing data on mobile devices, and is readily available from a third-party cloud service, it carries "a very hefty price tag per device," Orta said. The cost is constant across all the devices that belong to the organization, but when users bring in their own devices, costs will go up because specific policies must be written to cover these.
One of the questions that must now be addresses is what happens if the encryption tool used by the institution adversely affects the device's performance. "Will the hospital need to replace the device?" Orta asked. If the user leaves for a new job, the hospital has to figure out how to ensure its control over sensitive information it contains without damaging the user's mobile device. "All of these risks add to the cost of securing patient information."
The Encryption Cure
There's a "huge market" for "very low-cost tablet devices that can be easily encrypted and are highly compatible for use with the leading medical software applications, Anthelio's Orta said.
Hardware-based encryption offers better performance but software encryption provides greater flexibility, especially when it comes to meeting the differing needs of devices in the BYOD era.
Some of the new processors coming onto the market have a feature that will encrypt everything from the time they are turned on, Orta said. If the feature's turned off, the files will remain encrypted, but "can be decrypted with some tenacity if needed."
The Bigger Picture
"Information security isn't just about technical controls," Tom Wills, managing director of Secure Strategies, told TechNewsWorld. "Employee awareness and mandatory training programs are critical pieces of your security program."
Employees should be trained to never disclose their PINs to anyone, including the company's security or IT team; run antivirus software on their mobile devices; and report a lost or stolen mobile device to the company immediately, Wills said.
"Employee education around security is a foundation that is required for the success of any other solutions and must not be overlooked," security consultant Randy Abrams told TechNewsWorld. "A simple social engineering attack can still render high-grade encryption useless."