BYOD, Healthcare and Data Loss Risk in Numbers
A recent study by HIMSS2 , shows that the major user cases for BYOD in healthcare was accessing clinical information (using an application or retrieved from an electronic health record system.
Another use was finding information (educational) as well as consulting with other caregivers.
Doctors sometimes provide care under more than one system provider (e.g. in private practice as well as a hospital or clinic) BYOD allows them to carry one device that gives them access to all of their patient data. Similarly, nurses may provide care as contractors for home care providers. Using a BYOD allows these nurses to carry one device that provides access to records for the patients under their care.
The use of BYOD is widely adopted in the healthcare industry: a 2015 study published in the Journal of Hospital Librarianship estimated that 85 percent of healthcare professionals were bringing their own devices to work. And, according to a HIMSS analytics study, almost 40% of the healthcare professionals use a laptop. Further to that, a HIPAA Journal study shows, that about 60% of data loss were due to lost or stolen computer (31%) or employee error (29%). In fact, only 8% of data loss was attributed to a malicious insider. So strong protection of the PHI data on endpoints, should mitigate most of the risk associated with a BYOD policy.
As an example, in one rather egregious example, a laptop containing 400,000 PHI records was stolen from a parked car. That means that ensuring that data is inaccessible on a lost/stolen/discarded computer, coupled with controls that limit damage due to errors will go a long way to demonstrating responsibility with PHI.
The Evolution to Mixed Use Devices
As organizations move more of their essential business operation to Gig economy employees, more regulated and confidential data is downloaded to BYOD endpoints. Cloud has enabled much of this process as there is no longer any need to connect to a VPN and simply on-boarding a user enables them to access corporate resources (like EMR systems) from their home computers or laptops.
The implications of BYOD vs. COBO (Company owned business only) are substantial. Looking at the graph below analyzes the trajectory of BYOD adoption: the standard corporate provided and corporate managed COBO, where any data found is considered to be the property of the organization (personal use is usually discouraged). And where therefore, the organization is free to install any (and all) security applications needed to manage and secure the data.
Through COPE, where the employer buys and provisions the device, but the employee is free to use the device for their personal use. The mix of personal and corporate data requires care in the use of security applications – so as not to expose employee data. For BYOD and CYOD (Company owned business only) where the employee acquires the device the mix or private and corporate data is thorough and security applications which compromise privacy can no longer be used. The main difference between them is that for CYOD the employer provides the employee with a stipend for the device.
Challenges to Securing Data on BYOD and COPE (Company Owned Personal Enabled) Laptops
Striking a balance between securing PHI (and other corporate data), employee productivity, TCO, and employee privacy is critical to ensure BYOD is to be a tenable solution. Furthermore, any controls used must be easy to deploy and manage by the employee.
The Cyber Security Eco-system: Alternative Approaches to Securing Data at the Endpoint
As we stated above, there are two main issues that enterprises have to contend with: (i) Data abuse and loss risks and (ii) introduction of malware onto the device and potentially into the network. Options for the latter that do not compromise privacy include systems such as CASB (and other cloud AV and gateway systems) and, for the endpoint, AV and EDR. Care must be taken to quarantine any detected file on the users’ endpoint (rather than uploading to a corporate quarantine) as the file may include non-corporate information.
For the former, the task is harder. Some, like rights management systems (RMS – E.g. Microsoft WIP) and Virtual Desktops (VDI – E.g. Citrix) can provide some protection at a large cost of overhead and usability. Creating the rules required for RMS is a daunting task for an employee. Deciding on a global rule set to automate the protection is even harder. Also, RMS typically do not work well with cloud systems and require integration with cloud systems to function. Making their deployment both expensive and risky.
For VDI the main issue is connectivity: A reasonably fast connection is necessary. Some organizations can make it work – e.g. large insurance companies that have a designated “consultant area” with high performance networking. They don’t expect these consultants to work from home. But for many (e.g. Doctors) performance can be spotty at different areas of their work and trying to get medical records while doing doctor rounds is frustrating. Data loss focused systems (such as DLP) cannot be used at all. While they are very good at detecting information on the endpoint, they cannot differentiate corporate-owned and non-corporate information. The result is that the DLP system will detect and react to all data on the endpoint enforcing corporate rules on it. System reports will contain both corporate as well an employee personal information – a liability for the organization.
Can data security policies bridge some of the gaps? Even with substantial investment in training, not every BYOD carrying employee will install a corporate level password, nor keep an AV updated on their machine.
For BYOD a separate data-centric security policy is needed. To back it up, isolation of the corporate-owned information from any other information on the endpoint is the only way to secure the data without compromising security, privacy and efficiency.
CyberSecurity Home Care Visiting Nurse
CyberSecurity Community Hospital