HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Kaspersky Labs Report Probes Security Attitudes Among BYOD Participants

The rise in popularity of mobile devices has seen many companies adopt a Bring Your Own Device (BYOD) scheme. According to a recent survey by Kaspersky Labs, over half of consumers are now using their own mobiles, laptops and tablets at work and take part in such a scheme.

Due to the benefits of BYOD schemes, they have now been adopted by many HIPAA-covered entities, although the strict regulations covering data privacy and security have, to a certain extent, restricted use of the devices for work purposes more than in other, less well regulated industries.

A Lack of Concern for Work Data


The latest Kaspersky BYOD survey may have shown BYOD schemes have been widely adopted in the United States, but organizations operating such a scheme must effectively deal with the cybersecurity risks the schemes can introduce. While operators of the schemes may address security issues, not all organizations have fully assessed the risks posed by the devices.

Furthermore, it would appear that many participants in BYOD schemes are not particularly concerned about data security. Only 10% of respondents said they were seriously concerned about the security of work data stored on their devices. A lack of concern for security can result in BYOD participants engaging in potentially risky behavior. That is good news for hackers, but bad news for CISOs and CIOs charged with keeping data secure.

Please see the HIPAA Journal Privacy Policy

The survey revealed that a wide range of sensitive data is now stored on BYOD devices, which can include saved login names and passwords, work-related emails, network and VPN login details and many work files. 36% of respondents said they stored work-related documents on their BYOD devices, while 34% kept work-related emails. 18% of respondents said they stored passwords and login information on their phones, laptops and tablets.

Head of consumer product management at Kaspersky Lab, Elena Kharchenko, pointed out “People are concerned about the safety of their online accounts, although in reality few of them think they will be targeted by a cyberattack. And that’s where they’re wrong! Attackers often rely on the element of surprise, when users least expect it.”

This is especially true for healthcare workers. The industry has been targeted in recent years by criminals seeking access to the Protected Health Information of patients: Data that cybercriminals can use in order to commit identity theft. The survey did show that BYOD participants are worried about their own online accounts, but criminals seek a much bigger prize: The data that are accessible through their networked BYOD devices, which potentially number in the tens of millions.

BYOD Participants are Aware of the Main Security Risks


The good news is that while only 10% are seriously concerned about work data, the majority of respondents were actually aware of the threats posed by their devices. 86% of respondents said they were aware of the main attack vectors, and knew about the risks of hacking, phishing and malware. Ransomware was not so well known, with only 28% of users being aware of the threat.

Serious Risks of BYOD Must be Addressed


The benefits of BYOD are too numerous to ignore. Employees signing up to BYOD schemes can work more efficiently, gain access to important data without having to visit a fixed terminal, and can take advantage of a wealth of apps, each offering a number of advantages to users and employers.

The problem is the use of portable devices in the workplace carries substantial risks. If those risks are not addressed, BYOD could turn out to mean Bring your Own Demise.

Fortunately, risks can be effectively managed, but that requires initial effort and considerable planning before any external device is allowed to connect to a corporate network. It also requires a continued investment of time, resources and the implementation of controls to make it harder for hackers to gain access to connected devices, and the data stored on them or accessible through them.

A number of suggestions have been put forward by Kaspersky Labs that can be used to make BYOD more secure. One of the most important measures, which is all too easily forgotten, is to develop security controls that focus on the entire network, rather than just the devices used to connect to it.

Kaspersky also recommends managing BYOD separately from other IT projects, and to hand over the planning and management of BYOD to dedicated staff. Those staff members should be charged with assessing all aspects of BYOD unit and network security. They should conduct a comprehensive risk assessment to identify current security vulnerabilities, and regularly assess for new risks.

Extensive Planning and Continued Monitoring and Maintenance are Essential


It is all too easy to concentrate on the design and implementation phase to make it as easy as possible to add devices to the scheme, but it is essential that devices can also be quickly and easily removed. When employees’ contracts end or are terminated, or when contractors no longer require access to data, there must be an easy way to terminate network access and remove data stored on personal devices. Policies must also cover the loss and theft of devices. It must be possible to instantly block access to data, whether it is stored on the network or on the device itself. A system that allows the devices to be remotely and securely wiped is also essential.

Skilled staff should be employed to manage a BYOD program. Kaspersky points out that the implementation and maintenance of BYOD programs requires a particular skill set; a set of skills that many system administrators do not possess. Without appropriately qualified IT security specialists on the team – and a centralized management system in place – the risks of BYOD are likely to outweigh the benefits.

In healthcare, it is also essential to ensure that devices can be used to communicate data securely. Even if the transmission of PHI is not permitted using personal devices, it is all too easy for a member of staff to break the rules. The use of a secure messaging platform is therefore essential. Staff can then use SMS messages to communicate PHI and other confidential data without risking a HIPAA or patient privacy violation.

General manager at Kaspersky Labs, Kirill Slavin, points out that “By successfully creating and managing a BYOD network, businesses can simplify their IT operations while providing greater flexibility for employees. However, BYOD can potentially create security gaps if not managed effectively.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.