In a time when smartphones seem ubiquitous, the pressure for businesses to allow their employees to access work resources with their personal mobile devices may be overwhelming. This presents a variety of potential problems that are especially troubling in the shadow of the Anthem data breach. What can healthcare IT and Security staff do to balance these opposing forces, to allow better access without giving criminals the keys to the castle? The answer to this question may be an important part of decreasing the trend of increasing medical breaches.
What are criminals seeking?
Many medical practices have a fundamental misunderstanding of what criminals are after. While some criminals may be after blackmail-worthy details of health problems, in the majority of data breaches the miscreant’s goal is to obtain a large quantity of saleable data to be used for medical or financial fraud. This list of valuable data comprises much of what that was lost in the Premera and Anthem breaches, as well as other notable recent healthcare breaches:
- Names of patients and employees names
- Physical and email addresses
- Medical ID numbers
- Social Security numbers
- Payment card data
This information can be sold in bulk, with more complete record sets fetching a higher price, as they enable more lucrative fraud without the need for phishing for additional information from the victim. Medical ID and Social Security numbers are especially valuable for criminals, as payment card fraud is typically identified and blocked much more quickly; most banks have robust fraud-detection programs, and customers check payment cards more regularly and thoroughly than they do credit reports or medical reports.
While sometimes criminals may seek to access databases directly, they can just as easily find other ways into the network. Attackers often try to break into machines they view as less sensitive, which may have less stringent security, and work their way across the network to the more lucrative targets. Or they may phish login credentials from staff members, so that attackers can appear to be someone who is authorized to access the necessary resources to get to the database. This can potentially negate the beneficial effects of encrypting sensitive data, if the criminal gains the necessary permissions to access the unencrypted information.
In light of this, healthcare organizations should be implementing layered defenses so that even if a criminal gains access to a machine or user credentials that get them into the network, these attacks can still be stopped by other means. And this means businesses need to have a certain amount of control over the computing environment of their users. But how do you do this when users bring their own devices, especially mobile devices, which involve a significantly higher risk of loss or theft?
There are a variety of things Healthcare IT and security staff can do to decrease the risks inherent in implementing users bringing their own device (commonly called “BYOD” for short).
Choosing the mobile device
When employees are in charge of updating and upgrading their devices – as well as choosing which software to install – support costs can increase as problems may be more complicated to resolve. And if those users are the ones deciding what security settings to enable or disable, this may potentially open businesses to greater security risk if that device is lost, stolen or breached. It may be more cost effective to offer employees mobile devices that have mobile device management software installed, as this can standardize software and settings throughout the company.
Making restrictions clear
The decision to allow employees to access corporate resources with mobile devices is a delicate balancing act between the employee’s rights and the business’s legal obligation to protect data. This is particularly true for healthcare businesses, when HIPAA requirements come into play. This excellent fact sheet from the Privacy Rights Clearinghouse discusses these legal issues in greater detail.
In a time where text or instant messaging, and cloud services are every bit as prevalent as the mobile devices they’re often used with, it is important to make it clear to employees that it is not acceptable to circumvent security protocols when storing or transmitting patient data. Employers may choose to provide approved, secured messaging and cloud services, to make conformance easier for employees.
Mitigating the risk of lost or stolen devices
There is no such thing as perfect security. The best thing to hope for is decreasing risk, and mitigating the damage if a security incident does occur. The primary aspect businesses must consider when a device is lost or stolen is what data the device contained, and what company resources the device allows access to.
The two most obvious solutions to both are to require a passcode to access the device, and to wipe the device as soon as it is reported stolen. Many businesses choose to implement a policy that requires IT to have device access so that these steps can be implemented. One way to limit the value of stolen data is to encrypt as much as possible, both in transit and in storage, remotely and on the device itself. If a thief gains access to a device, but the data on it are scrambled, the data loses any value to an attacker. Keep in mind that if the thief gets the device and the user’s login credentials, he may still be able to view the data in its unencrypted form.
Offering other methods for securing connections
One important way to protect data that does not need to be viewed by more than one person, such as passwords, is to salt and hash the data. When this is done the password is not stored, and cannot be stolen, and it decreases the possibility of it being reverse-engineered. And it is safer to simply reset passwords and require the user to change it upon first login. This Crack Station post goes into the intricacies of effective salting and hashing.
Limiting the number of incorrect login attempts can help against brute force attacks, and employee security training may help decrease the effectiveness of social engineering. Another factor for limiting damage in the event of lost password is to restrict users’ access to only what they absolutely need to be able to perform their regular tasks. Likewise, requiring users to log in to resources periodically – rather than logging them in indefinitely – can limit the amount of damage that an attacker can do.
Requiring employees to use a Virtual Private Network (VPN) to remotely access network resources can greatly decrease the risk of eavesdropping attacks, especially if employees use public Wi-Fi to access work resources. Depending on the operating system of the user’s device, it may also be advantageous to provide employees with mobile anti-malware products that scan for malicious links and files.
Keeping BYOD as a benefit
While these steps to secure access via mobile devices may all appear to be potentially costly and complicated, it may be worth the effort in terms of the increase in staff productivity and responsiveness. Both employees and customers may view this as a benefit that may improve care outcomes due to improved patient engagement. And as more and more healthcare organizations fall victim to large-scale breaches, this attention to details could change the safety of data and the future of healthcare security.
Author Lysa Myers, ESET