With applications ranging from patient education to medical records, the professional use of handheld smart devices has increased in ophthalmology practices. But what are the security implications of using portable smart devices?
According to the FCC, well over 1 million smartphones are stolen every year. Unfortunately, the biggest problem isn’t the cost of replacing the device. The loss of data, privacy, and productivity are the biggest costs, and, if you use your device to access patient data, those costs can soar.
A recent HIMSS Analytics survey of 129 administrators, clinicians, and information technology professionals found more than 70% used mobile devices to access patient data.
Here, industry experts answer the primary questions surrounding smart device security.
Who else should be concerned about this?
Everyone. According to IT security expert, Raheem Beyah, PhD, of Georgia Technical Institute, few if any schools teach “Internet hygiene.” Without learning how to configure systems, use strong passwords and react to the newest threats, “then people are always going to be weakest link,” he says.
If no consistent, regular sort of mandatory education is available, then “none of the [other] stuff matters, because folks will click ‘yes’” and accept malware, says Dr. Beyah.
What should you know?
Smartphones and tablets are basically mobile computers with small screens and telephones built in. It is the mobile part that makes them more dangerous.
As N.C. State University’s Douglas Reeves, PhD, puts it, the “challenge for phones is physical access — it’s quite plausible you will lose your phone, or someone could steal it or gain temporary access to it.” This risk is much higher than that of someone who would break into your office and get physical access to that computer. The same risks for smartphones applies to tablets as well.
What should you do?
Dr. Reeves explains that mobile devices used in U.S. practices haven’t been “a big attack target” for data thieves yet.
“The major problems have been in other countries, where consumers download apps from all kinds of unreliable marketplaces,” he says.
But that doesn’t mean the risk of a security breach isn’t very real, as the work of NCSU’s Bill Enck, PhD, at Wolfpack Security and Privacy Research Lab and Muhammad Shahbaz, PhD, at NCSU’s Computer Science Department highlights. They suggest that mobile security boils down to the following six key steps.
What should you remember?
- Secure the device from the start.
- Don’t store sensitive information (PHI, account numbers passwords, etc.) on the device.
- Don’t connect the device to public or unsecured networks.
- Investigate apps before you download them and limit their access to data.
- Don’t download apps from third-party app stores.
- Dispose of the device securely.
1. Secure your device from the start.
- Make certain to use a strong password. Or at least use the fingerprint feature. Better still, use both for multifactor authentication.
- Turn data encryption on.
- Set up a kill switch if the device is lost.
- Consider downloading an anti-theft app onto your device.
- Set your screen to lock after one minute of inactivity or less.
- Set your phone to erase all data after too many unsuccessful login attempts (perhaps 10).
- Change your screen lock display to include your email address or alternate phone.
- Record and save the device’s make, model, and serial number as well as the IMEI, MEID, or ESN number.
2. Secure your connections to networks.
- Use your office (private, staff only) Wi-Fi network.
- If that is not available, use your cellular plan.
- If you must access office systems that have access to personal health information (PHI) from a public Wi-Fi, set up a Virtual Private Network to access a work computer and then run the desired system.
3. Keep security in mind.
- Don’t leave your device unattended. Remember, you’re protecting your patients and your practice.
- Install only secure apps, and allow access to only the minimum necessary information.
- Don’t open suspicious emails or visit questionable websites.
- Never put the answers to your security challenge questions on social media.
- Don’t store PHI in your contact list.
4. Restrict access to the device.
- Don’t let kids install apps on a device used for work.
- You can use iOS’s “guided access” or Android’s “guest mode” to let others use the device.
5. If you lose a device that contains sensitive practice or patient information on it, act fast. Immediately contact your practice’s IT provider who should advise you to:
- Contact the police, cell phone provider, and perhaps even the manufacturer.
- Use the “kill” switch to destroy EVERYTHING on the phone.
6. Dispose of the device securely.
- Backup the device and the data to a hard drive and/or the cloud.
- Verify that all the critical data is backed up and is readable.
- Remove any external memory cards (the micro SD card, not the SIM card).
- Destroy the data on the device.
- Perform a factory reset.
Remember, when you delete files on these devices, you are only telling the system that they can overwrite the information. It does not actually delete it.
For most of us, information security is a hidden cost that we must pay, one way or another. It is just cheaper to pay it upfront.
Information security is a vastly complex issue for institutions of all kinds, including government, intelligence and military organizations. The guidance offered here is for informational purposes only and should not be considered exhaustive, nor should it be considered legal advice.
For more information, attend my talk at the American Academy of Ophthalmology’s national conference on Nov. 13 in New Orleans, or visit www.Analytrix.com/tips to view guidance from top medical, government and military institutions. OP