Are mobile devices putting your practice at risk? According to the 2015 HIMSS Mobile Technology Survey, nearly 90 percent of healthcare provider employees are utilizing mobile devices as part of their practice. Mobile devices provide a large degree of convenience but also introduce one of the largest risks to securing ePHI.
Unfortunately, the security around these systems has not kept pace with the growth for many organizations. A Skycure report states that one in five mobile devices used by doctors are at high risk of an attack. It has been challenging for IT departments to tackle how to secure ePHI on mobile devices. Here are four tips to help improve your organization’s mobile security posture.
1. Approve devices
Prior to granting access to a mobile device, determine which mobile devices your organization will allow. By allowing the employee complete control over which device they use, it becomes increasingly difficult to manage the risks presented with a variety of models and operating system versions. Network and server rules can be created that deny access to new devices, which then makes it a requirement for new devices to go through a process of approval prior to access being granted.
2. Audit devices
To ensure only approved devices are accessing the network, organizations should schedule routine audits. This includes reviewing the list of devices that have connected over the past month. This will support the confidence that only approved devices are connecting as well as help identify potential malicious devices.
3. Be prepared to remotely erase the device
If personal devices are used in the organization, consider having employees sign an agreement stating they understand that in certain circumstances, the organization may need to remotely erase the phone to protect the security of corporate and ePHI information. This may come with a loss of the employee’s personal information. Having this document in place will protect your organization if a lawsuit from an employee were to occur as a result of the need to erase their device.
4. Install Patches
Simply stated, patches close holes that hackers use. Different devices vary on how quickly they get patched. Apple devices get patches very quickly. Google Nexus phones come in second. Other Android phones do not have a good history with patch availability. Windows-based phones are showing a good track record, but they lack the history and market share to make a statement about their patch effectiveness. The sooner a hole is patched, the less opportunity there is for the hacker to acquire the information on the device. Your organization can configure your network and server rules to block devices that are missing a specific patch. This will help motivate the user to upgrade.
Mobile devices are everywhere and employees want some level of freedom in what they carry between home and work. Establishing rules will help your organization and employees keep patient data safe and prepare for surprises before they happen.