HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

One In Five Companies Has Suffered a Data Breach Involving Mobile Devices

One in five companies has suffered a data breach involving mobile devices according to a study recently published by Crowd Research Partners. 39% of respondents said malware had been downloaded onto devices supplied to employees by their company or used under BYOD schemes, and almost a quarter of respondents said devices had connected to malicious Wi-Fi networks.

The number of devices that had been compromised is a concern; however, what is more worrying is the extent to which organizations are monitoring the devices that are allowed to connect to their networks. When asked whether devices had connected to malicious networks, 48% of respondents said they were not sure.

When asked whether malware had been downloaded onto mobile devices, 35% said they were not sure, and 37% could not say whether mobile devices were involved in security breaches at their organizations. These results suggest that while mobile devices are allowed to connect to work networks, the controls put in place to keep those devices secure were insufficient in many organizations.

When asked about the risk control measures used to keep devices secure, only 63% said the devices were protected with passwords. In the event of theft or loss of devices, only 49% would be able to remotely delete data on the devices. Just 43% of organizations used data encryption to prevent the exposure of data in the event of device loss or theft.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Most worrying was what happened to devices, and the data stored on those devices, when employees left the company or devices reached end of life. Only 29% of organizations had implemented data deletion policies, 26% said they reformatted devices, and just 17% used data erasure tools. 15% of organizations did not have any controls in place to ensure data were deleted from devices when employees left the company.

Even when polices had been put in place, in many cases data were not deleted 100% of the time. 34% said they always deleted data when employees left the company, 13% said it happened more than half of the time, 7% said it happened between 25% and 50% of the time, 7% said less than 25%, and 14% said data were never deleted.

The survey was sponsored by six security vendors: Bitglass, Blancco Technology Group, Check Point Technologies, Skycure, SnoopWall, and Tenable Network Security, and was conducted on 883 IT professionals from around the world, with 30% of respondents based in the United States. Respondents were all members of the Information Security Community on LinkedIn.

HIPAA and Mobile Devices

HIPAA prohibits the use of mobile devices for communicating PHI unless a number of safeguards are implemented to ensure PHI is protected at all times. Covered entities must ensure that the confidentiality, integrity, and security of electronic protected health information is never placed at risk.

Even if policies have been implemented that prohibit the use of mobile devices for communicating PHI, there is a risk that patient privacy may be accidentally violated or that healthcare workers may, on occasion, use their phones to transmit PHI.

Many healthcare organizations choose to implement a secure text messaging platform to allow physicians and other healthcare professionals to communicate securely using SMS messages. By providing a HIPAA compliant messaging service, healthcare organizations can leverage the benefits of mobile devices without running the risk of violating HIPAA.

In order for a secure messaging service to comply with HIPAA, all messages must be protected with end to end encryption and access controls must be used to ensure PHI can only be viewed by authorized individuals. Secure messaging apps must also prevent the copying of messages or message contents to a clipboard or other non-secure apps. The ability to implement message lifespans and allow messages to be recalled is also beneficial.

Software must also have audit controls and allow the archiving of text messages. In the event of a HIPAA audit, covered entities must be able to demonstrate what has happened with PHI sent in messages. It is also essential that devices can be securely erased in the event of theft or loss, or when users of the system leave the company.

If a messaging solutions lacks these controls, it will not enable messages to be sent without violating HIPAA.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.