Escaping the HIPAA Minefield from Mobile Devices

Author: Josiah Dykstra, Ph.D.

If you secure just one electronic device in your practice, it should be your smartphone.

Surprised? Not all computing devices are created equal. When individuals think of Health Information Portability and Accountability Act (HIPAA) security, they naturally focus first on protecting the desktop computers that are used for testing, programming, and administration. There are no special HIPAA rules for smartphones or tablets, but protected health information (PHI) must be secured no matter the technology. Yet, mobile devices – smartphones, tablets, and laptops – present unique and critical risk to PHI and the practice because of their principal feature: portability.

Portability is a powerful and desirable feature in technology, allowing users to connect and work without being confined to one place. Given computing power today, mobile devices provide seamless access to email, calendars, banking, contacts, photos, and more. A $1,000 phone or $2,000 laptop is an access point to the user’s most sensitive and private information worth much more than the device itself. Nearly all online accounts, for example, are connected to an email address. If a criminal steals a smartphone and can access the user’s email, the criminal can potentially use that to access other services such as bank accounts by simply send a password reset by email.

According to Verizon, 38% of healthcare organizations were the victim of a security compromise involving a mobile device in the past year.1 The prevalence of mobile devices in the profession of audiology suggests the potential for debilitating cyber incidents and data breaches. Designer Security surveyed 131 private practice audiologists and found that that 90% reported at least one laptop in use for work-related purposes. Additionally, 70% of the survey respondents reported use of at least one smartphone in a practice.1 Whether staff are permitted to use their personal devices for work purposes (known as “bring your own device”), or the practice supplies mobile devices, there are numerous steps that can be taken to avoid the landmines of HIPAA violations.

Authentication – including passwords, pins, fingerprints, and facial recognition – “gets in the way” of the use of mobile devices for many users. More than a quarter of smartphone owners have no screen lock.2 Many find it cumbersome or impractical to have long, secure passwords for mobile devices. As a result, it is easier for a thief to gain access to a smartphone than a desktop computer. Any PIN or password is better than having none, but best practice is to select a PIN or password that is easy to remember and difficult to guess. Do not use birthdays or convenient passwords such as 123456 (the most common password in 20193) or 111111 (the 9th most common password) that are easy for a hacker to guess. Biometrics such as fingerprints or face ID are also convenient, and while better than nothing, are less secure than a good password or PIN.

Unlike most work computers, it is more common for people to share smartphones and tablets with friends and family members. Maybe kids watch videos on the phone, or a partner browses the internet on the tablet. These are mild to moderate risks that practice owners may be willing to accept, but they increase threats to the device and accessible PHI. If the smartphone connects to guest Wi-Fi at restaurants or hotels without a VPN, that is severe risk akin to sharing the device with strangers. Each of these sharing activities compounds the risk to the device, and subsequently to access PHI, sensitive business accounts, and other connected information.



Control Yourself! Hands-On Smartphone Security & Privacy
Josiah Dykstra, Ph.D.

At AuDacity 2020, Designer Security presented seven practical steps to improve security and security on iPhone and Android phones. The steps are briefly summarized below and step-by-step are videos available online.4
  1. Install software updates.
    Hackers commonly attack vulnerabilities in unpatched software. Bug fixes and new features are released for smartphone apps on a routine basis. Enable automatic updates or manually check each week for both operating system and app updates.
  2. Setup strong authentication.
    Make it difficult for a thief to get data even with physical access to the device. Enable one or more ways to authenticate to the mobile device, such as a password, PIN, or fingerprint. Longer passwords are more secure and select one easy to remember and difficult to guess.
  3. Set a screen lock and timeout.
    Require authentication every time the user accesses the device and enable automatic lock after a short inactivity period (5 or 10 seconds is best). This increases protection if the device is lost or stolen.
  4. Install a password manager.
    It is difficult to generate and remember many strong passwords for websites and apps. Instead, install password manager software such as LastPass or 1Password to store and manage strong passwords automatically.
  5. Setup “find my phone” and remote wipe.
    Both iPhone and Android have features to locate, lock, and erase the phone remotely if it is lost or stolen. Health and Human Services (HHS) may assume a HIPAA data breach unless PHI can be rendered unreadable or the owner can demonstrate low probability that PHI has been compromised.
  6. Anonymize advertiser ID.
    Every device has a unique mobile advertising identifier in the operating system. Increase personal privacy by resetting the ID that advertisers use to track activity and location.
  7. Encrypt all mobile devices.
    Encryption is useful if a phone, tablet, or laptop is lost or stolen because data stored on the device cannot be recovered. Once encryption is enabled, there is practically no noticeable difference when using the device.
In addition to the seven recommendations above, here are three additional safeguards for mobile devices:
  1. Beware of dangerous app permissions.
    When installing apps on devices, pay careful attention to the list of permissions needed and only download apps that request reasonable permissions. A flashlight app, for example, should not need access to the camera or contacts. Malicious apps could use these permissions to access or steal sensitive information.
  2. Securely wipe old phones.
    Before giving away or donating an old phone, be sure to securely erase data that could be left behind. Deleting files does not guarantee that a hacker couldn’t recover them. Step-by-step guides are available online to securely erase and reset most devices.
  3. Use a USB data blocker.
    Be very cautious about charging devices using USB ports in a public place, including bars, airports, and hotels. USB can transmit both data and power, and hackers may attempt to access data on the phone. Consider an inexpensive USB data blocker (also called a USB condom) that physically disables data transmission (Figure 1).
Figure 1. Prevent unwanted data access with a USB data blocker when charging a phone.


Escaping the landmines from mobile devices is possible with prevention and dedication. As technology continues to break down barriers about where and how we work, diligence is required to safeguard PHI and other sensitive data, no matter the technology. Cybersecurity professionals are also available to help assess individual situations and recommend or deploy layered defenses. Start defending your smartphone today, and then consider doing the same with your other computers.    
Josiah Dykstra, Ph.D. is Founder and Cybersecurity Consultant at Designer Security which provides cyber services for audiologists. He has more than 16 years’ experience in cybersecurity research, practice, and education. Contact him at Josiah@DesignerSecurity.com.
References
1 J. Dykstra, R. Mathur, A. Spoor, “Cybersecurity in Medical Private Practice: Results of a Survey in Audiology,” IEEE 6th International Conference on Collaboration and Internet Computing (CIC), 2020.

2 Pew Research Center, Americans and Cybersecurity, https://www.pewresearch.org/internet/2017/01/26/2-password-management-and-mobile-security/, 2017.

3https://en.wikipedia.org/wiki/List_of_the_most_common_passwords

4 J. Dykstra, Control Yourself! Hands-On Smartphone Security & Privacy for Audiologists, https://audiologist.org/archive/audacity-2020-archive