Mobile Device Security

Mobile Device Security

Presented by

Kelly Wilson

Manager of Information Security, LCF Research

New Mexico Health Information Collaborative (NMHIC) and the

New Mexico Health Information Technology Regional Extension Center (NM HITREC) Albuquerque, New Mexico

Live webinar conducted Wednesday, April 17, 2013

2309 Renard Place SE, Suite 210 Albuquerque, New Mexico 87106

Credit

not

available

for

replay

MOBILE DEVICE SECURITY

Purpose: You will review the many ways we manage patient information, receive an overview of the

newer devices being added to the mix, discuss the ways we should be safeguarding patient information on mobile devices (physical, technical, and administrative controls), and be made aware of the risks of not taking security of these devices seriously.

Kelly Wilson Mr. Wilson is the Manager for Information Security for LCF Research. He has 20 years

experience in information technology including 15 years in healthcare IT. He is the go-to person at LCF for technical HIT security information and solutions for the New Mexico Health Information Collaborative (NMHIC) and the New Mexico Health Information Technology Regional Extension Center (NM HITREC) programs. Prior to joining LCF, Mr. Wilson worked for Presbyterian Healthcare Services for twelve years, as Manager of Information Security for three and a half years and a Systems Engineer for eight and a half years. While serious about security, Mr. Wilson enjoys taking risks as a sky diving instructor and motorcycle enthusiast.

Disclosure: Everyone in a position to control the content of this educational presentation has disclosed all relevant financial

relationships with any commercial interest to LCF Research, the provider of continuing education credits. LCF is occasionally awarded research and educational grant funding from industry and estimates such funding at less than 25% of overall revenue. None of these presenters have any relevant relationships to disclose.

All faculty and planning committee members have attested that: 1) the content they contribute will promote improvements in healthcare and not any specific proprietary business interest of a commercial interest, and that 2) content for this activity will be well balanced, evidence-based, and unbiased. Materials have been reviewed (by a third party where necessary) for validity and bias, and modified where necessary by the course directors and members of the planning committee. Participant feedback about perceived bias towards any commercial entity in the presentation will also be requested.

LCF Research is accredited by the New Mexico Medical Society to provide continuing medical education for physicians.

LCF Research designates this live activity for a maximum of 1.0 AMA PRA Category 1 CreditTM. Physicians should claim only the credit commensurate with the extent of their participation in the activity.

This activity may be acceptable for the Nursing and Physicians Assistant CE credit if applicability to practice can be shown. Nurses and Allied Health Professionals are encouraged to attend.

An Evaluation/Statement of Participation form is required to record CME credit and is requested from all participants.

Credit certificates will be e-mailed directly to those completing the evaluation/statement of participation form.

The New Mexico Health Information Technology Regional Extension Center (NM HITREC) is a collaboration of three organizations – LCF Research, HealthInsight New Mexico, and the New Mexico Primary Care Association – who are working together to support healthcare providers throughout the state in achieving “meaningful use” of electronic health records (EHRs) to improve patient care.

Mobile Device Security

Kelly Wilson Information Security Manager LCF Research / NMHIC

NMHITREC Partner

Introductions:

Why are you here?

Patient Data: The Good ‘ol Days

•

FAX

•

Phone

Snail Mail

“Sneakernet”

•

Closed, Proprietary EHR’s

Patient Data: Today

•

Email

•

Thumb drives, DVD’s, removable media

Remote Access from home/away from the

office

•

Smart phones, tablets, laptops, home PC’s

Web-based EHR’s

•

HIE Health Information Exchanges

Mobile devices

Mobile Devices Overview:

It’s a “Box of Radios”

• Smartphones: A handheld computer that also makes phone calls.

• Tablets: Same as a smartphone but doesn’t make phone calls.

• Bluetooth (wireless audio and/or data). • WiFi (Wireless Internet).

• GPS (Global Positioning System, location to 3 meters). • 3G / 4G (phone network data connections).

• NFC (Near Field Communications - bump, swipe, pay terminals, etc.).

• Turn off radios that are not in use.

Devices Overview: Operating Systems

•

Google / Android

Apple / iOS

•

Blackberry

Mobile Devices Overview: Cool Stuff

• Thousands of apps

• Always online mobility – the Internet in your pocket

• Easy to use

• Lots of internal memory: a mobile hard drive

• Easy to share stuff

• Stores your email, web and bank accounts and

passwords

• Location based services: maps, directories,

retailers

Mobile Devices Overview: Not so cool stuff

• Apps designed to share you and your data with minimal controls.

• Security problems like a regular computer: Malware, Spam, Key loggers.

• Difficult to secure, confusing permission options.

• The bad guys of the Internet want what's in your pocket. • Stores your email, web and banking accounts

and passwords.

• Easier to lose, high rate of theft. • Unauthorized use.

Mobile Devices Overview: Cameras

•

Built in photo and high-def video.

Location info embedded into photos.

Barcode readers.

•

QR (Quick Response) Codes: risks.

Device Risk Management: Mine vs. Yours

•

BYOD (bring your own device):

• More difficult to secure • Lack of accountability • Security left to individuals

• Lack of standard security configurations • Multiple untrusted users (family, friends) • Rooting, jailbreaking, unauthorized apps

Mobile Device Risk Management:

• Company issued/controlled:

• Documented security policies

• Authorized applications

• Authorized users

• Managed security configurations (Exchange

Activesync, Apple MDM)

• Password strength/quality, auto screen lock,

login failure lockouts

• Device and removable media

encryption, anti-malware

• Security logging

Mobile Device Risk Management:

•

Administrative Safeguards:

45 CFR Part 160 Subpart C -- § 164.306

Security Standards: General rules:

• Ensure the Confidentiality, Integrity, and

Availability of Protected Health Information.

• Protect against any reasonably anticipated

threats or hazards to the security or integrity of such information.

Mobile Device Risk Management:

§ 164.30 Administrative Safeguards:

• Risk Analysis and Risk Management.

• Risk Assessment Guidelines NIST 800-30 &

NIST 800-39

• Policies and Procedures

• What should a policy cover? • What should a procedure cover?

• End user training

Mobile Device Risk Management:

§ 164.312 Technical Safeguards:

• Passwords, Screen locks, Swipe codes

• Encryption: Data in motion – Data at rest

• VPN: Virtual Private Networks

• Anti-Virus, Anti-Malware, Phishing protection

• Loss/Theft: “Find Me” apps, Remote device

Security and Privacy:

•

Most common threat to data loss = people

Why? Too hard or just think it doesn’t

apply to them

•

Hundreds of thousands of mobile devices

are lost or stolen every year.

•

Puts the business at risk

• Large fines

• Consumer/Patient confidence

Resources:

• U.S. Computer Emergency Readiness Team

(US-CERT)

http://www.us-cert.gov

• National Institute of Standards and Technology

(NIST)

http://www.nist.gov/information-technology-portal.cfm

• U.S Department of Health & Human Services

http://www.hhs.gov/ocr/privacy/hipaa/administrati ve/enforcementrule/index.html

Mobile Security References:

• Threatpost: http://threatpost.com

• Naked Security: http://nakedsecurity.sophos.com

• McAfee Mobile Security:

http://blogs.mcafee.com/tag/mobile-security

• FCC Smartphone Security Checker:

http://www.fcc.gov/smartphone-security

• Crimecatchers (stats): http://blogs.absolute.com/crime-catchers/mobile-theft-the-facts/

• Apple Mobile Device Management:

http://www.apple.com/iphone/business/it-center/deployment-mdm.html

Mobile Device Security:

What’s best for you?

Mobile Device Security Tips

• Learn to read and understand Terms of Service

and App permissions.

• Don’t download any uninvited app or respond to

any unknown texts or email.

• Decide on a password no one could possibly

guess. Include special characters and at least one number. Write it down in a safe place. Change your passwords every few weeks.

• Get the best security software you can get for your

device and learn how to configure and use it.

Mobile Device Security Tips

• Don’t make purchases on your mobile device on

public Wi-Fi and only make financial transactions on secured sites

• Keep your phone locked when you’re out and

about, and don’t lend it out

• Keep your apps and device software up to date.

• If you don’t need/use it, delete it

• Don’t let your device record anything you don’t

Questions?

4/15/2013 21

This material was prepared by the New Mexico Health Information Technology Regional Extension Center (NM HITREC) as part of its work as the Regional Extension Center for New Mexico, under grant #90RC0028/01 from the Office of the National Coordinator for HIT, U.S. Department of Health and Human Services. NMHITREC-13

www.nmhitrec.org