How Mobile Gadgets Can Tear a Hole in Breach Disclosures
Smartphones are lost and stolen every day, but when a lost phone contains sensitive healthcare info, it could trigger a mandatory disclosure. But how does an organization know when something's been lost? If it was issued by the IT department, that's easy -- the employee will report it and ask for another. But if the phone is an employee's personal property, how can IT learn about it in a timely manner?
Take a moment to visualize a physician traveling home in a cab from a long day. Stuck in traffic, our hypothetical physician sees this as the perfect time to catch up on email and or to do non-care-related administrative tasks. At the end of the cab ride, he or she puts the phone down to pay the driver. Being tired -- in a moment of thoughtlessness -- the doctor accidentally walk away from the cab, leaving the phone on the seat. One more lost device.
This scenario -- or one very much like it -- unfolds daily all over the country. Mobile devices become lost or stolen on a minute-by-minute basis. It's an unfortunate but inevitable consequence of carrying a valuable, easily-resalable piece of equipment with us everywhere we go. Of course, those of us in information security understand the security consequences this type of event can have: It's a huge deal.
But the short-term security risk isn't why I'm bringing it up. I'm bringing it up because of what happens next. Namely, what happens after the device goes missing?
How Long Has It Been Missing?
Many employees, both in and out of healthcare, treat personally owned devices differently from corporate-owned devices, even though they may not realize they are doing so -- at least with regard to how they respond and whom they inform when the device goes missing.
The employee's first priority is usually to get the device replaced as quickly as possible since they rely on it so heavily to do their job. So in the case of an employer-issued device, their first action will usually be to report the loss to IT -- since this is how they'll get a new one provisioned.
For a personally owned device, their first step will probably be to purchase a replacement, configure it to connect to allowed corporate services, and get back to what they were doing. Notifying the IT organization won't be their first -- or even second -- thought.
See the problem? If not, here's a hint: It has to do with breach disclosure.
A Potential Hole in Breach Disclosure Planning
From a breach disclosure perspective, loss or theft of organization-owned equipment -- be it laptops, mobile phones, or media -- has a built-in stopgap or checkpoint. Because personnel have to come to IT when the device goes missing (for example, in order to get a replacement), this means that IT will be informed about the loss. IT can and usually has set up processes to take appropriate measures at that point, including initiating the breach notification procedures should the situation warrant it (for example, if the device contains protected health information).
But when an employee doesn't notify IT because they are solely responsible for replacing the device, that stopgap isn't there. Initiating the breach disclosure process requires a different channel, one that many organizations haven't yet set up.
From a covered entity standpoint, we all know disclosure obligations are heavy. While most industries are impacted by breach disclosure regulatory requirements to one degree or another (for example, due to the number of states that now have legislation to this effect), the burden in healthcare is much greater. Non-healthcare organizations have to report breaches to the people impacted; healthcare has to do that and (potentially) report to the HHS and/or the media. Other organizations have deadlines to report in certain states (for example California), whereas healthcare has a ticking clock (60 day deadline) each and every time it happens. In that context, it very well can be a worst-case scenario when a device containing PHI goes missing and IT or compliance are out of the loop.
The Interim Final breach disclosure rule does provide some leeway for breaches that occur when the covered entity is not aware that a breach occurred, but that leeway does not extend arbitrarily in every case. Specifically, 45 CFR 164.404(a)(2) indicates that, "A covered entity shall be deemed to have knowledge of a breach if such breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or agent of the covered entity." Meaning, you're on the hook if you could have implemented some reasonable process but didn't.
This is important for organizations to realize -- particularly because most covered entities already have mechanisms in place governing PHI exposure in other areas (e.g., misdirected faxes, lost laptops). The case could be made -- in the cold light of hindsight -- that a covered entity had the opportunity to act based on other action they've taken in other areas. So doing nothing just because the employee owns the device is probably not a recipe for success here.
Closing the Gaps
Recognizing that use of mobile devices to store, access, and transmit PHI is on the upswing, how can organizations make sure that their bases stay covered? Furthermore, as organizations expand the footprint of employee-owned equipment to include laptops, media and other devices in addition to phones, how can organizations implement other, non-provisioning-dependent stopgaps that notify IT in the event of loss?
There are two types of strategies that are particularly effective in this area: a technical strategy and a procedural one.
On the procedural side, most covered entities already conduct training for all personnel (volunteers, medical staff, employees) -- the by-now-infamous "mandatory HIPAA training." Helping employees to understand the potential impact of a lost mobile device, and why that might necessitate engaging the incident management process, can be a great first step. The advantage with this approach is that it's easy and cheap to implement, while the downside is that there still won't be a checkpoint to ensure notification to IT or compliance.
On a technical front, products in the mobile device management (MDM) space can help. They provide two advantages. First, many of those products can encrypt PHI stored on the device (thereby potentially lessening the impact of a breach). But they also have another effect. Because staff now need to come to IT to provision access and enable the device, the missing notification stopgap gets reintroduced. The disadvantages here are expense, as well as the configuration effort of provisioning employee-owned devices with the MDM software. Staff (particularly physicians) may resist this approach at first, which is why selecting a vendor on the basis of usability is helpful.
Of course, as with most things, the most effective scenario is probably a blended approach of both training and technical enforcement: By helping staff to understand the consequences of a lost device, as well as building in the back-end stopgap, you can bring personal devices back in line and make sure your notification processes are doing what you expect.