Lost Devices And Healthcare Data Leakage, Two Sides Of The Same Coin?

By Rich Campagna, Product Management and Marketing, Bitglass

Healthcare professionals are more reliant on mobile devices than ever, with laptops, tablets, and smartphones quickly obviating the need for paper records. While a boon to productivity, mobile devices have also increased the risk of data leakage. Cloud-based EHR systems and adoption of productivity apps like Office 365 have made large volumes of patient data and claims information readily accessible from loss and theft prone mobile devices. The security and compliance challenge posed by these mobile devices, many of which are unmanaged, unsecured, and thus particularly vulnerable, are a source of major headaches for IT, legal, and compliance teams.

Loss And Theft Of Mobile Devices Is A Top Threat

Protected health information (PHI) — which includes Social Security numbers, dates of birth, and other sensitive personal data — is among the most valuable data for hackers because of its longevity. For healthcare organizations, data breaches that result in leaked PHI can be incredibly costly, averaging $363 per lost record according to Ponemon.

According to a report based on HHS data, lost and stolen devices were the leading cause of breaches in 2015, accounting for 97 of the 254 total breaches in the year. With BYOD use growing rapidly among healthcare professionals, IT leaders in healthcare are seeking out solutions that resolve the inherent challenges with mobile device management (MDM) and protect sensitive data in the event of loss or theft.

Where MDM Falls Short

IT leaders need a flexible and effective solution to protect data on healthcare professionals’ devices. Doctors, nurses, and hospital administrators all increasingly use personal mobile devices to conduct business and deliver care. Conventional mobile security solutions like MDM require software agents for complete control over each device. While such solutions can be powerful, they are best for managing corporate-owned devices and struggle to gain widespread adoption for BYOD.

Because many physicians are not employees, but independent practitioners with multiple hospital affiliations, their personal devices remain beyond the hospital’s purview. Attempts at rolling out MDM and mobile application management (MAM) have stalled in part due to privacy concerns. For physicians, multiple affiliations poses another problem as only one MDM solution can be installed on a device at a time.

Naturally, care takes precedence over data security, and so, physicians with multiple hospital affiliations are allowed direct access to critical applications from these less secure devices, creating a HIPAA compliance nightmare. Healthcare organizations that allow for access from unmanaged devices are quickly coming to grips with these BYOD realities and opting for agentless, data-centric solutions that move beyond device management and allow for HIPAA compliant access to corporate data.

Agentless, Data-Centric Protection

Agentless mobile security focuses on protecting data end-to-end, from the app to the device, operating entirely from the network without installing software on endpoint devices. These solutions provide protection in two critical ways. First, they regulate the flow of data to devices, extending risk appropriate access to PHI and other sensitive data. Second, they provide control and visibility over data that is downloaded to a user’s device. These mechanisms work in concert to solve the modern healthcare organization’s BYOD security and compliance challenges.

To regulate the flow of data to devices, data leakage prevention and access control are typically employed. Access control accounts for the context in which a user is attempting to gain access to data, and makes coarse-grained yes/no decisions on access. For example, a provider might allow a cloud-based file synchronization app like OneDrive to be used on a managed device, but block access from that same app on an unmanaged device. Data leakage prevention scans the actual data being accessed. For example, many organizations opt to limits the amount of PHI that can be downloaded to unmanaged devices, hoping to avoid HIPAA-mandated breach disclosures should a loss or theft event occur.

Once data is actually downloaded to the device, data-centric and device-level controls can be leveraged. Data-centric controls include dynamically embedding protection into data upon download. For example, an organization might choose to encrypt or to apply rights-management to any file downloaded to a BYOD device if it contains PHI. Agentless mobile solutions also allow IT to enforce some core device-level security capabilities, including OS-level encryption, PIN requirements, and selective remote wipe.

The Future Of BYOD Security

Mobile devices remain a key access point for PHI and when lost or stolen, often result in costly data leaks. Demand for BYOD will only become more pervasive among healthcare professionals. For care providers, the challenge of protecting unmanaged devices requires a new approach to deal with issues like end-user privacy and the multiple affiliations problem. Healthcare IT leaders are taking the threat of lost and stolen devices seriously, shifting resources toward agentless, data-centric solutions that protect data across all mobile devices.

About The Author

Rich Campagna drives product management and marketing at Bitglass. Prior to becoming an integral team member at Bitglass in April 2013, he was senior director of product management at F5 Networks, responsible for access security. Rich gained valuable experience in product management and sales engineering at Juniper Networks and at Sprint before working at F5.