Can Convenience Be Compliant?
Read more from the latest issue of Billing.
Advances in Technology Create New Security Concerns
By Randy Johnston
Just about every business professional carries at least one mobile technology tool that stores or accesses important content. Because of HIPAA compliance, billing firms have more risk than a typical business. While smartphones, tablets, and portable computers provide a great convenience, what are the pitfalls and dangers of using mobile devices?
Mobile devices are quickly becoming more appealing targets for those who steal. This is not only because of the worth of the physical units, but also due to the value of the information to which these devices could provide access. And, it is evident that many people do not realize that compromised mobile devices are generally a security risk. Currently, there are 47 states that have breach reporting laws that require that your customers must be informed if their personal information is compromised from a device theft, loss, or break-in on a processing system – unless the device is encrypted. The states without breach reporting laws are South Dakota, Alabama, and New Mexico. Louisiana's rules state that breach reporting must occur even if the device is encrypted. When you consider the impact of HIPAA and these devices, we have to consider how to manage the risk better with internal control policies, encryption, and mobile device management software.
I recently found myself seated next to an individual on an airplane who was both busy and significantly connected to important business resources via two different mobile devices. He completed a heated conversation, using his phone, about the need to move funds from one company bank account to another in order to cover upcoming expenditures.
My seatmate then took out his tablet, brought it out of sleep mode and started working. He did not have a password or passcode on the device. He opened a browser, connected to an online banking site, and made the required fund transfer. Both the username and password for the banking utility were stored on the tablet, so he did not have to key this information in each time he accessed the site. He then placed the tablet in the seatback pocket of the plane and nodded off to sleep.
This illustrates not only the need for security, but also the apathy toward the need for controls to protect devices and data. This article highlights some of the more pervasive security issues that arise when dealing with mobile technology. We will then look at a few of the many security measures that both organizations and individual users should consider to improve security. Finally, we'll close with a short update on the dominant mobile platforms.
Security Issues and Practices to Mitigate Them
Users must guard against and prepare for three primary concerns: theft or loss of a mobile device; damage, destruction, or the malfunction of the physical unit; and compromised venue security when the device is in use.
Theft or Loss of a Device
People regularly lose control of mobile technology. When someone no longer possesses a device, the list of bad things that can happen grows quickly. The value of the asset is lost, we lose access to content that is on the device, others may gain access to content stored on or accessed by the unit, and someone could initiate communication from the device and those contacted would believe the message came from the original owner.
Here are some important controls to have in place:
- The first line of defense is to create and enforce policies that safeguard against loss or theft. As an example, an important control is to make sure employees never leave devices unattended and that they do not place mobile technology in areas where it may be forgotten (such as the aforementioned seatback pocket on an airplane, a restaurant, or a customer site).
- A second important control is to make sure all mobile units have encrypted storage and have password or passcode protection in place. This way, if someone steals or finds a smartphone or tablet, they have to crack the password to gain access to data stored on it. This gives the user time to invoke additional security measures. Many mobile device operating systems, such as iOS and Android, provide the ability to remotely "wipe" the contents of a stolen or misplaced device. Wiping a device removes the content stored on it, thus making the value of the unit the only benefit for the person who takes it. The password will – hopefully – keep the contents secure until the wipe procedure is completed. With the arrival of laws requiring "kill switches," such as the California Smartphone Kill Switch Law, which goes into effect July 1, 2015, stolen devices will have to have the ability to be disabled by their owner. Since manufacturers will comply with the California law, we should all benefit from this new feature on smartphones in all states. Provisions of this law include (1) if triggered by an authorized user, the phone will lock the handset, making it useless; (2) the law doesn't specify how the system locks the phone; (3) the feature must be installed and activated in new smartphones; (4) users will be able to deactivate this feature; and (5) however vendors implement the protection, it must be resistant to attempts to reinstall the operating system.
- Finally, companies should consider mobile device management (MDM) and mobile device tracking applications to add security and provide unit-tracking capabilities. MDM applications allow an administrator to encrypt all or part of mobile device storage, force password methodology that includes dictating the length and complexity of the passwords used, and limit the types of applications and content placed onto a mobile technology item. There are many available options for MDM applications with varying price points. A few of the most popular are MobileIron, Good, Maas360, Centrify, and AirWatch. However, these products do not come cheap, with typical charges around $10 per device per month. Track and trace apps such as LoJack or CyberAngel provide added capabilities for those wishing to find lost or stolen devices by employing some of the unit's built-in tools like GPS location services and the forward-facing camera (to take pictures of those who currently possess the device).
Damage, Destruction, or the Malfunction of the Mobile Technology
Mobile technology is easily damaged or destroyed and sometimes malfunctions, which can be expensive to repair or replace and can cause the loss of important content. It might be a good idea to carry insurance coverage on mobile technology to minimize the cost for new units or to repair damaged ones. It is also a great practice to make sure that key data stored on mobile devices is backed up so you can recover it if necessary. Backup applications are plentiful, and because of the tremendous connectivity supported by mobile hardware, it is easy to have up-to-date backups of all important content.
Let's go back to the incident I shared earlier about the individual on the airplane. I was not trying to find out about the operation of his organization, yet I now know the bank they use and information about particular vendors and the way in which they are paid. If someone who was intentionally trying to gain information about this business sat where I was, the consequences could be notable. What if, for example, a person with ill intent removed the tablet while the owner slept? That person could make a transfer of funds or a bill payment to a fraudulent recipient.
Users of mobile technology must maintain control of the devices they use at all times. They also must be aware of the venue in which they are using their smartphones, tablets, and laptops, because the presence of prying eyes and enormous ears is a very real possibility and is therefore a concern. Further, this could potentially be a HIPAA violation if patient data was visible on the device in use. People should just take a few moments to verify the security of the location in which they choose to use their devices.
What Types of Devices Are Available?
Vendors have been actively updating both hardware and software during this past year. Whether you choose Apple iPhones and iOS, Android phones from a variety of manufacturers, Blackberry, or Windows phone options, you'll discover new hardware and new operating systems. Likewise, tablets including the iPad, Android, and Windows options have all had hardware and software updates.
Apple has increased the size of its phones, with both the iPhone 6 and 6 Plus sporting new 4.7-inch and 5.5-inch screen sizes. Security may have become simpler with fingerprint identification included on these products, as well as on the iPad Air 2 tablet. The biggest innovation in iOS 8.1 is the arrival of Apple Pay, which promises to be a contender in near field communication (NFC) payment options. You can expect vendors to incorporate these payment options into encounter systems because of their ability to integrate so many payment sources. Further, the security of the payments are good, while convenience is excellent. With the October 1, 2015, requirements of EMV (Europay, MasterCard, and Visa) chip compliance, payment systems will be radically changed over the next year. Remember to work with your billing clients, and your own firm, to ensure compliance so the bankcard issuer retains the liability on any credit card payment, instead of you, the acquirer.
The Android operating system is transitioning from version 4.4 to 5.0 with a number of convenience and security improvements. For example, if you receive a call from a number not in your contacts, your phone will look for matches from businesses with a local listing on Google Maps. The supporting hardware, such as the Samsung Galaxy S5 or the Samsung Galaxy Note 4, are providing larger screens, with faster processors. Motorola/Google/Lenovo is making similar hardware improvements in the Android lineup. Remember that Android features and operating systems vary widely by manufacturer and product.
Even though Blackberry no longer dominates the corporate world, their operating system and the Blackberry Enterprise Server (BES) is still the most secure mobile operating system available without using MDM. Further, BES has been updated to support iPhones, Android, and the Windows operating systems. Blackberry introduced new hardware recently, as well.
You will find new options in the Windows platform with the Nokia Lumia family, specifically the 1525. With Windows 8.1 mobile, and the arrival of Windows 10 in 2015, we will see the portability of apps between the desktop/laptop and the mobile devices.
Protect Yourself Moving Forward
Because of the growing use of and dependence on mobile devices, the amount of information stored and accessed by these units is increasing. This makes them a more interesting target for those with nefarious intent. Because this is the case, you should protect both the devices and the content they deliver. Organizations should have mobile security policies in place and processes to implement them. Individuals need to exercise due diligence to make sure the mobile devices they carry are as secure as possible.
Randy Johnston is the CEO and cofounder of Network Management Group, Inc. He and his NMGI team provide IT consulting services and recommendations to HBMA members as a membership benefit. If you have questions on any hardware, software, procedures, or IT strategies for your firm, contact firstname.lastname@example.org.