As an IT Director, my biggest concern outside the walls of our office is the mobile devices assigned to all our vehicles and with our management staff. Per the Ponemon Institute, stolen patient medical data sells on the dark web for $350 per record, compared to stolen credit card information, which sells for only $5. While it’s unlikely that your device will end up in the hands of someone with ill intent, we still need to prepare for the worst-case scenario. There are a few steps we can follow to ensure that we have a strong defense against having data on a misplaced device cause irreparable damage.
1. Educate Your Staff
Your first line of defense should be your field providers. It’s important to create strong policies so your staff has a clear and concise understanding of what is expected of them and why. It’s one thing to have policies in place, it’s another to make sure they are enforced. It may be common practice to not discuss a previous call in public, but to a brand-new EMT, they may not understand the full implications. At the end of the day, you can’t control everything said by every member of your team. The best you can do is train your staff on the rights of your patients and your joint responsibility to protect their privacy. Inadvertently sharing patient health information (PHI) isn’t limited to an overheard conversation. We should also be cognizant of what we as a company and our field providers are posting to social media. If you don’t have a social media policy, take a look at this example policy and create one.
2. Encryption
A good starting point is device encryption using software such as McAffe Encryption or Symantec Endpoint Encryption. All hard drives, portable storage devices, and smart phones must have the best available encryption installed and configured.
3. Device Configuration
Each agency looks at the security on mobile units differently. We lock down the operating system (OS), but leave Internet open on our devices with content controls and history enabled. Malware and patches are updated regularly. We limit the access to writing to external devices and all other non-essential functions for our field providers through the Windows Group Policy Object (GPO). We configured NetTime to update our time at a set interval against our time servers. The most impactful tool we use is a reboot to restore software. Each time a machine is rebooted, it goes back to the point in time that the unit was put into service. In our environment, we protect the C drive where the OS lives and allow changes to the D drive, where we redirect our patient care reports (PCR) and monitor data. Only specifically configured software has access to save to the D drive, limiting the possibility of fouling the drive. So, if a virus or malware were to infect the machine or the registry was hijacked, reboot to restore.
4. Set Strong Passwords
Encryption is great – if you set a strong password. Use 12345 or password, the two most frequently used passwords, and you’re asking for trouble. And definitely never use an administrative level account with a default password. Best practice is to use different passwords for your user, admin, and SQL System Admin (SA) accounts. Also, make sure to set a session idle timer to lock the computer when the computer isn’t in use.
5. Remote Wipe
An always on connection to your mobile devices – such as Absolute’s Computrace, DDS, or LoJack – enables you to view multiple data points that could aid in the recovery of a misplaced unit. You also have the ability to send a persistent or non-persistent delete, depending on the hardware configuration, of the unit’s hard drive if necessary. Computrace is an application that could be embedded into a laptop or tablets Basic Input/Output System (BIOS). Even if you flash the BIOS, you won’t be able to reinstall an OS. Within the software, you are also able to create geofences to notify you if a device leaves its assigned area. Our agency is of the mindset that if ever you’re in doubt, wipe it.
6. Bring Your Own Device (BYOD)
It’s an inevitable that someone in your organization wants to use their own device for one reason or another. If they would like email, or any service you would provide to a company-issued device, you should continue to maintain the same level of security. Virus protection, or remote wipe of a mobile device, can be accomplished in a myriad of ways. Look at your current virus protection to see if mobile security and remote wipe is already an option or an add-on.
7. Decommissioned Devices/Drives
When it’s time for new hardware, or just refreshing some equipment you have had out in the field, destroy any hard drives, or at very least, use one of the many available data erasure products available. The paper shredding company you use at your corporate headquarters may also provide drive shredding services as well. (They should provide you with a record of destruction, if not insist on one.) It’s a good practice for hard drives, flash drives, photo copier drives, etc. Check out this resource for the sanitizing of most devices.
8. Electronic Transmission of PHI
When PHI is transmitted through a network, wireless transmission, email, or other form of electronic transmission, your agency should use an encryption process specifically designed for each method. If you already have a spam firewall, chances are you either have or can add-on auto encryption that would scan any email leaving your domain for Health Insurance Portability Accountability Act (HIPAA)-protected information and add encryption if the configured conditions are met. A Secure Socket Layer Virtual Private Network (SSL VPN) is a good option for remote access into a network. File Transfer Protocol (FTP), Server Message Block (SMB), and Web Distributed Authoring and Versioning (WebDav) all can have the appropriate levels of security applied.
To learn how to identify and manage the top risks of a HIPAA breach, visit ZOLL’s blog.
9. Breech Analysis
So you’ve hardened your system and you confident in your device security, but something happened. What do you do now? If your immediate thought was “I don’t know or someone else should know,” it may be a good time to create a policy. How you react to a situation is important, and if you are unaware of the proper steps now, take a few minutes and go through a mock scenario. Then check out HIPAA’s resource on breach notifications or PRO EMS’ sample policy.
Although this is only a few brief points of security, to successfully maintain best practices within your mobile fleet, you need to adapt to new threats and be aware of possible situations as they come. At our agency, using the ZOLL Suite of products has enabled us to have a reliable platform to collect all the information for a call in one easy-to-access location. The Security Module has also made end-user security easy to configure and modify if necessary.
If your company uses WebPCR, please make sure you have a cert associated with the eDistribution site. Free services such as US-CERT and Cyber Heist News are good resources to keep up to date on ongoing threats. Our agency is committed to bringing in an outside audit firm to put us through a SSAE 16 Type II and HIPAA audits yearly. Although we have never been mandated to perform such audits, it’s a good practice to ensure the level of security that’s necessary.