Healthcare IT has many differences over mainstream IT and the biggest involves securing of patient information. Industry wide providers are taking steps to encrypt and secure desktops and laptops. But what about smartphones and Blackberry devices? Aren’t they just as vulnerable – given the ever-increasing volume of email flowing through them?
The short answer is YES. There are three levels of protection we recommend you consider to address both HIPAA and HITECH in healthcare:
- Encrypt emails containing protected health information (PHI) that leave your company. “Leaving” is the key word here, and applies to all emails containing PHI – phone and otherwise. Emails shared amongst your staff on the same server never travel on the Internet are OK without further encryption. However email that leaves your company gets transmitted over the Internet (and/or cell phone networks) and could be “sniffed out” by hackers.
- Password protect devices. Say a thief gets a hold of your smartphone. He or she can immediately see your emails, because the encryption step described above only scrambles the email during transmission. As soon as the email shows up on your phone, it can be seen by anyone who picks up your phone. Password protecting the device itself will prevent unwanted eyeballs from seeing PHI. Yes, entering a password to get emails on a smartphone is annoying, but a breach to PHI and the resulting PR disaster you could have on your hands are not worth the migraine.
- Encrypt devices. Even if a thief doesn’t know your password, the data card in your smartphone can be physically removed and put into another smartphone for viewing. A thief could also connect your smartphone to any computer and extract all your data. Device or “hardware” encryption is the ultimate step, and maximizes security. Hardware encryption locks down the data on the device itself so no one can transfer it.
So what levels of protection are possible?
- Blackberry Devices. Blackberry devices can be password protected and encrypted. Data between the device and the email server is encrypted, however all emails leaving the organization that contain PHI need to be encrypted using a separate encryption solution.
- iPhones. The iPhone 3GS and higher supports encryption and password protection, as described above for Blackberry devices. The 3G model does not support encryption but can be password protected. Once enabled, encryption and password requirements cannot be turned off by users. Additionally, all emails containing PHI need to be encrypted using a separate encryption solution.
- Google Android, HP WebOS, and Windows Phone 7. You can require passwords to use these devices, but the devices themselves cannot be encrypted as of this writing. Additionally, emails containing PHI leaving your company would need to be encrypted using a separate encryption solution.
As a client of VCPI, we’ve got your back because we can also remotely “wipe clean” a stolen device you report to us.
Technology is evolving fast, but at the time of this writing (Jan 2011), this is what we know so far. Clients rely on VCPI to stay on top of what device makers offer regarding the latest in security. The issues can be complex and executives rest easier knowing there are experts that can be trusted to sort through the details.
Posted by Dan Jackson, Senior IT Security Engineer, and Erin Zickus, Forensic Technology Consultant; VCPI