Can Convenience Be Compliant?
Can Convenience Be Compliant?
March 9, 2015 | Randy Johnston, Network Management Group, Inc. / HBMA
Just about every business professional carries at least one mobile technology tool that stores or accesses important content. Because of HIPAA compliance, billing firms have more risk than a typical business. While smartphones, tablets, & portable computers provide a great convenience, what are the pitfalls & dangers of using mobile devices?
Mobile devices are quickly becoming more appealing targets for those who steal. This is not only because of the worth of the physical units but also due to the value of the information to which these devices could provide access. And, it is evident that many people do not realize that compromised mobile devices are generally a security risk. Currently, there are 47 states that have breach reporting laws that require that your customers must be informed if their personal information is compromised from a device theft, loss, or break‐in on a processing system – unless the device is encrypted. The states without breach reporting laws are SD, AL, & NM. Louisiana’s rules state that breach reporting must occur even if the device is encrypted. When you consider the impact of HIPAA & these devices, we have to consider how to manage the risk better with internal control policies, encryption, & mobile device management software.
I recently found myself seated next to an individual on an airplane who was both busy & significantly connected to important business resources via two different mobile devices. He completed a heated conversation, using his phone, about the need to move funds from one company bank account to another in order to cover upcoming expenditures.
My seatmate then took out his tablet, brought it out of sleep mode & started working. He did not have a password or passcode on the device. He opened a browser, connected to an online banking site, & made the required fund transfer. Both the username & password for the banking utility were stored on the tablet, so he did not have to key this information in each time he accessed the site. He then placed the tablet in the seatback pocket of the plane & nodded off to sleep.
This illustrates not only the need for security but also the apathy toward the need for controls to protect devices &data. This article highlights some of the more pervasive security issues that arise when dealing with mobile technology. We will then look at a few of the many security measures that both organizations & individual users should consider to improve security. Finally, we’ll close with a short update on the dominant mobile platforms.
Security Issues & Practices to Mitigate Them ‐ Users must guard against & prepare for three primary concerns: theft or loss of a mobile device; damage, destruction, or the malfunction of the physical unit; & compromised venue security when it’s is in use.
Theft or Loss of a Device ‐ People regularly lose control of mobile technology. When someone no longer possesses a device, bad things that can happen grows quickly. The value of the asset is lost, we lose access to content that is on the device, others may gain access to content stored on/accessed by the unit, & someone could initiate communication from the device & those contacted would believe the message came from the original owner.
Here are some important controls to have in place:
- The first line of defense is to create & enforce policies that safeguard against loss or theft. As an example, an important control is to make sure employees never leave devices unattended & that they do not place mobile technology in areas where it may be forgotten (such as the aforementioned seatback pocket on an airplane, a restaurant, or a customer site).
- A second important control is to make sure all mobile units have encrypted storage & have password or passcode protection in place. This way, if someone steals or finds a smartphone or tablet, they have to crack the password to gain access to data stored on it. This gives the user time to invoke additional security measures. Many mobile device operating systems, such as iOS & Android, provide the ability to remotely “wipe” the contents of a stolen or misplaced device. Wiping a device removes the content stored on it, thus making the value of the unit the only benefit for the person who takes it. The password will (hopefully) keep the contents secure until the wipe procedure is completed. With the arrival of laws requiring “kill switches,” such as the CA Smartphone Kill Switch Law, which goes into effect July 1, 2015, stolen devices will have to have the ability to be disabled by their owner. Since manufacturers will comply with the CA law, we should all benefit from this new feature on smartphones in all states. Provisions of this law include: 1‐ if triggered by an authorized user, the phone will lock the handset, making it useless; 2‐ the law doesn’t specify how the system locks the phone; 3‐ the feature must be installed & activated in new smartphones; 4‐ users will be able to deactivate this feature; & 5‐, however, vendors implement the protection, it must be resistant to attempts to reinstall the operating system.
- Finally, companies should consider mobile device management (MDM) & mobile device tracking applications to add security & provide unit‐tracking capabilities. MDM applications allow an administrator to encrypt all or part of mobile device storage, force password methodology that includes dictating the length & complexity of the passwords used, & limit the types of applications & content placed onto a mobile technology item. There are many available options for MDM applications with varying price points. A few of the most popular are MobileIron, Good, Maas360, Centrify, & AirWatch. However, these products do not come cheap, with typical charges around $10 per device per month. Track & trace apps such as LoJack or CyberAngel provide added capabilities for those wishing to find lost or stolen devices by employing some of the unit’s built‐in tools like GPS location services & the forward‐facing camera (to take pictures of those who currently possess the device).
Damage, Destruction, or the Malfunction of the Mobile Tech ‐ Mobile technology is easily damaged or destroyed & sometimes malfunctions, which can be expensive to repair or replace & can cause the loss of important content. It might be a good idea to carry insurance coverage on mobile technology to minimize cost for new units or to repair damaged ones. It is also a great practice to make sure that key data stored on mobile devices is backed up so you can recover it if necessary. Backup apps are plentiful, & because of the tremendous connectivity supported by mobile hardware, it is easy to have up‐to‐date backups of all important content.
Venue Security ‐ Let’s go back to the incident I shared earlier about the individual on the airplane. I wasn’t trying to find out about the operation of his organization, yet I now know the bank they use & information about particular vendors & the way in which they are paid. If someone who was intentionally trying to gain info about this business sat where I was, the consequences could be notable. What if, i.e., a person with ill intent removed the tablet while the owner slept? That person could make a transfer of funds or a bill payment to a fraudulent recipient.
Users of mobile technology must maintain control of the devices they use at all times. They also must be aware of the venue in which they are using their smartphones, tablets, & laptops because the presence of prying eyes & enormous ears is a very real possibility & is, therefore, a concern. Further, this could potentially be a HIPAA violation if patient data was visible on the device in use. People should just take a few moments to verify the security of the location in which they choose to use their devices.
What Types of Devices Are Available? Vendors have been actively updating both hardware & software during this past year. Whether you choose Apple iPhones & iOS, Android phones from a variety of manufacturers, Blackberry, or Windows phone options, you’ll discover new hardware & new operating systems. Likewise, tablets including the iPad, Android, & Windows options have all had hardware & software updates.
Apple has increased the size of its phones, with both the iPhone 6 & 6 Plus sporting new 4.7‐inch & 5.5‐inch screen sizes. Security may have become simpler with fingerprint identification included on these products, as well as on the iPad Air 2 tablet. The biggest innovation in iOS 8.1 is the arrival of Apple Pay, which promises to be a contender in near field communication (NFC) payment options. You can expect vendors to incorporate these payment options into encounter systems because of their ability to integrate so many payment sources. Further, the security of the payments is good, while convenience is excellent. With October 1, 2015, requirements of EMV (Europay, MasterCard, & Visa) chip compliance, payment systems will be radically changed over the next year. Remember to work with your billing clients, & your own firm, to ensure compliance so the bankcard issuer retains the liability on any credit card payment, instead of you, the acquirer.
The Android operating system is transitioning from version 4.4 to 5.0 with a number of convenience & security improvements. For example, if you receive a call from a number, not in your contacts, your phone will look for matches from businesses with a local listing on Google Maps. The supporting hardware, such as the Samsung Galaxy S5 or the Samsung Galaxy Note 4, are providing larger screens, with faster processors. Motorola/Google/Lenovo is making similar hardware improvements in the Android lineup. Remember that Android features & operating systems vary widely by manufacturer & product.
Even though Blackberry no longer dominates the corporate world, their operating system & the Blackberry Enterprise Server (BES) is still the most secure mobile operating system available without using MDM. Further, BES has been updated to support iPhones, Android, & the Windows operating systems. Blackberry introduced new hardware recently, as well.
You will find new options on the Windows platform with the Nokia Lumia family, specifically 1525. With Windows 8.1 mobile, & the arrival of Windows 10 in 2015, we will see the portability of apps between the desktop/laptop & the mobile devices.
Protect Yourself Moving Forward ‐ Because of the growing use of & dependence on mobile devices, the amount of information stored & accessed by these units is increasing. This makes them a more interesting target for those with nefarious intent. Because this is the case, you should protect both the devices & the content they deliver. Organizations should have mobile security policies in place & processes to implement them. Individuals need to exercise due diligence to make sure the mobile devices they carry are as secure as possible.