Presentation is loading. Please wait.

Presentation is loading. Please wait.

How Safe Is Your Mobile Information? Issues and Safeguards for Mobile Devices Dan Morrissey, CHSP Catholic Health Initiatives Fourteenth National HIPAA.

Published byOswald Moody Modified over 9 years ago

Similar presentations

Presentation on theme: "How Safe Is Your Mobile Information? Issues and Safeguards for Mobile Devices Dan Morrissey, CHSP Catholic Health Initiatives Fourteenth National HIPAA."— Presentation transcript:

1 How Safe Is Your Mobile Information? Issues and Safeguards for Mobile Devices Dan Morrissey, CHSP Catholic Health Initiatives Fourteenth National HIPAA Summit March 30, 2007

2 Agenda Mobile Information in the Real World Threats and Risks to Mobile Information Safeguards for Mobile Devices

3 Mobile Information in the Real World

4 What is happening out there today? Proliferation of mobile devices and data Laptops, PDAs, Smart Phones, USB Memory Devices, Storage Cards, Blackberries, Converged Devices, Clinical Devices

5 Headlines and Web Postings 130,000 former and current patients have been notified that a laptop with personal information was stolen…(2/7/07) A doctor's laptop was stolen from the Medical Center containing medical information of 22,000 patients. (2/14/07) Two laptop computers stolen from locked vehicle in the Hospital parking lot hold personally identifiable medical information and SSN of 2,500 patients. (2/16/07) A laptop with 7,800 uninsured patients' names, birth dates and Social Security numbers was stolen from the hospital… (2/29/07) Stolen laptop contains medical information on 21,600 health plan beneficiaries. Stolen laptop had medical claims data on 230,000 people

6 Impact on Organizations Compromise of Corporate and/or Personal Confidential Information Public Image and Market Share Financial and Legal Compliance

7 HIPAA GLBA, and other Federal Regulations New State Regulations JCAHO Reviews and Accreditation

8 Real World Examples Large Multi-State Health System  Stolen Laptops and Backup Tapes  365,000 Home Services Medical Records  Arrange and finance on-going credit monitoring  Pay for damaged credit ratings  Class Action lawsuit filed by former patient  Current and former patients and employees outraged  Cost Estimate: $43,800,000

9 Real World Examples Federal Government Health System  Laptop Stolen from data analyst’s home  26.5 Million records: ePHI and SSNs  Desktop Computer missing from subcontractor  38,000 Records: Medical Claims, SSNs  Providing one year credit monitoring  Encrypting all laptops, revamped security training, enhanced authentication requirements

10 Real World Examples National Healthcare Payer  Laptop stolen from employee’s car  59,000 Members’ personal information  Arrange and fund on-going credit monitoring  Now require all information on laptops be encrypted  Implemented new restrictions on use of USB devices  Conducted audit of all computers for compliance  Cost Estimate: $8,142,000

11 Future of Mobile Information Growing usage and reliance on mobile devices for network access, applications, e-mail, and internet. Greatly increased device data storage and capabilities, including audio and video recording, while physical size is decreasing.

12 Future of Mobile Information Advanced clinical mobile devices will become more common. Mobile devices can be adequately protected using a combination of technology, training, and effective polices and procedures. Photo courtesy of GE Healthcare

13 Ownership, Support, and Controls Employee owned devices Software installation and configuration Technical support What happens when employee leaves?

14 Threats and Risks To Mobile Information

15 Threats and Risks to Mobile Information Threats - mobile devices being lost or stolen, or turned into “bricks” Risks - Unauthorized access, distribution, and use of confidential information Risks – potential patient care and safety issues resulting from inability to access medical records when required Risks - damage to proprietary networks

16 Threats and Risks to Mobile Information Technical Human Internet Physical - especially because of size, portability, and physical availability

17 Results of Threats Realized Unauthorized access and theft of proprietary information are the 2 nd and 3 rd most significant causes of information losses and accounted for over $62B in losses for 2005. Cost per lost account record: $138 (min) includes direct and indirect costs, and lost business cost (lost business is 90% from existing customers).

18 Results of Threats Realized Confidential Information Compromised  Personal or corporate / organizational  Identity theft is a growing national concern  Now driven by criminal activities for illegal gain  Consumer / Patient / Corporation at risk  Legal actions by individuals and groups

19 Results of Threats Realized If lost or stolen and access is not available when needed. (This can be critical in patient care and a potential patient safety issue.) Malicious activity can result in direct attack on the device or a denial of service attack. (Both results can also be critical in patient care and a potential patient safety issue.)

20 Results of Threats Realized Entry point to network that by-passes security perimeter protection can result in: Unauthorized access to network  Compromise of confidential information  Malicious software or actions can create serious damage to network systems Interception of communications (especially wireless)

21 Safeguards for Mobile Devices

22 Physical Protection  Device lock  Theft prevention lock  Failed authentication automatic data wipe (after n attempts)  Do not leave devices unattended in plain view anywhere (car, office, airport, etc.)

23 Safeguards for Mobile Devices Authentication to Device and Network  Passwords  Strong – difficult to guess or crack  Changed frequently  Kept secret, not written  Biometrics  Smart Card  Policies enforcement via managed authentication system

24 Safeguards for Mobile Devices Encryption  Data at rest  Disk encryption, whole or part as required  Data base, configuration, software  Centralized encryption key backup and recovery  Data in transit  VPN  IPSec, SSL, S-HTTP  Secure FTP

25 Safeguards for Mobile Devices Device Configuration  Turn off certain capabilities not required for use  Implement all relevant security features available  Disable discoverable and connectable options (e.g. Bluetooth)  Do not store confidential information on devices unless necessary

26 Safeguards for Mobile Devices Protection of the Device and Network  Anti-virus at entry points: email, internet  Device Firewall  Integrity management systems can provide remote control of mobile devices to: Detect unauthorized activities such as changes to system files (caused by virus or other malware) Quarantine device and notify user and administrator Clear data from device if lost or stolen

27 Safeguards for Mobile Devices Enterprise Security Architecture  Network  Anti-virus  Communications  Monitoring – IDS / IDP  Logging and Auditing

28 Recovery and Remediation In the event of a security breach… Security Incident Response Procedures  Determine, assess, and mitigate damage  Ensure that legal is involved from start to end  Inform affected individuals and provide relief  Up front Public Relations  Implement relevant technical measures  Additional / improved education and training  Audit remediation results on regular basis

29 Recovery and Remediation In the event of a security breach… Ensure that event cannot occur again (if possible) Review, revise, and re-establish effective security measures Obtain and secure relevant evidence for prosecution and /or disciplinary action Document the incident, the outcome, and new preventative measures implemented

30 Cost of Protection vs. Cost of Breach Recovery / Resolution  $120 (min) per year per account direct cost for one year of credit monitoring service  Civil / Class Action Lawsuit  Negative Publicity  Lost Revenue  Compare to less than $20 per account to implement adequate security controls

31 Successful Mobile Data Security Establish, implement, enforce and audit effective Security Policies and Procedures for mobile devices: Administrative Technical Physical Training Accountability and Sanctions

32 Final Considerations Stay out of the news and off the web! Effects of a breach will reach far beyond the specifics of the incident. Potential long term consequences. Competitive Health Care environment, especially in the community.

33 Questions and Discussion

34 Thank You! For additional information contact Dan Morrissey danmorrissey@catholichealth.net

Download ppt "How Safe Is Your Mobile Information? Issues and Safeguards for Mobile Devices Dan Morrissey, CHSP Catholic Health Initiatives Fourteenth National HIPAA."

Similar presentations

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.
Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.

Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.

Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.
1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.

1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.
Data Security for Healthcare Facilities Debbie Abbott Health Information Consultant Resolutions (Int) Pty Ltd.

Data Security for Healthcare Facilities Debbie Abbott Health Information Consultant Resolutions (Int) Pty Ltd.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
HIPAA Security Standards What’s happening in your office?

HIPAA Security Standards What’s happening in your office?
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.
Data Security Issues in IR Eileen Driscoll Institutional Planning and Research Cornell University

Data Security Issues in IR Eileen Driscoll Institutional Planning and Research Cornell University
1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.

1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.
Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.

Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Similar presentations

Ads by Google