Dedicated to providing the latest
HIPAA compliance news

One In Five Companies Has Suffered a Data Breach Involving Mobile Devices

Share this article on:

One in five companies has suffered a data breach involving mobile devices according to a study recently published by Crowd Research Partners. 39% of respondents said malware had been downloaded onto devices supplied to employees by their company or used under BYOD schemes, and almost a quarter of respondents said devices had connected to malicious Wi-Fi networks.

The number of devices that had been compromised is a concern; however, what is more worrying is the extent to which organizations are monitoring the devices that are allowed to connect to their networks. When asked whether devices had connected to malicious networks, 48% of respondents said they were not sure.

When asked whether malware had been downloaded onto mobile devices, 35% said they were not sure, and 37% could not say whether mobile devices were involved in security breaches at their organizations. These results suggest that while mobile devices are allowed to connect to work networks, the controls put in place to keep those devices secure were insufficient in many organizations.

When asked about the risk control measures used to keep devices secure, only 63% said the devices were protected with passwords. In the event of theft or loss of devices, only 49% would be able to remotely delete data on the devices. Just 43% of organizations used data encryption to prevent the exposure of data in the event of device loss or theft.

Most worrying was what happened to devices, and the data stored on those devices, when employees left the company or devices reached end of life. Only 29% of organizations had implemented data deletion policies, 26% said they reformatted devices, and just 17% used data erasure tools. 15% of organizations did not have any controls in place to ensure data were deleted from devices when employees left the company.

Even when polices had been put in place, in many cases data were not deleted 100% of the time. 34% said they always deleted data when employees left the company, 13% said it happened more than half of the time, 7% said it happened between 25% and 50% of the time, 7% said less than 25%, and 14% said data were never deleted.

The survey was sponsored by six security vendors: Bitglass, Blancco Technology Group, Check Point Technologies, Skycure, SnoopWall, and Tenable Network Security, and was conducted on 883 IT professionals from around the world, with 30% of respondents based in the United States. Respondents were all members of the Information Security Community on LinkedIn.

HIPAA and Mobile Devices

HIPAA prohibits the use of mobile devices for communicating PHI unless a number of safeguards are implemented to ensure PHI is protected at all times. Covered entities must ensure that the confidentiality, integrity, and security of electronic protected health information is never placed at risk.

Even if policies have been implemented that prohibit the use of mobile devices for communicating PHI, there is a risk that patient privacy may be accidentally violated or that healthcare workers may, on occasion, use their phones to transmit PHI.

Many healthcare organizations choose to implement a secure text messaging platform to allow physicians and other healthcare professionals to communicate securely using SMS messages. By providing a HIPAA compliant messaging service, healthcare organizations can leverage the benefits of mobile devices without running the risk of violating HIPAA.

In order for a secure messaging service to comply with HIPAA, all messages must be protected with end to end encryption and access controls must be used to ensure PHI can only be viewed by authorized individuals. Secure messaging apps must also prevent the copying of messages or message contents to a clipboard or other non-secure apps. The ability to implement message lifespans and allow messages to be recalled is also beneficial.

Software must also have audit controls and allow the archiving of text messages. In the event of a HIPAA audit, covered entities must be able to demonstrate what has happened with PHI sent in messages. It is also essential that devices can be securely erased in the event of theft or loss, or when users of the system leave the company.

If a messaging solutions lacks these controls, it will not enable messages to be sent without violating HIPAA.

Author: HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines.

Share This Post On