Data protection regulation, like HIPAA for the healthcare industry, helps keep our most personal data safe. We’ll take a look at the implications of this regulation below, from the perspective of using Mobile Device Management with Miradore to secure smartphones and tablets.
Being on the receiving end of HIPAA compliance can be complicated, but we’re confident Mobile Device Management with Miradore can be a significant step towards solving the puzzle. Miradore is helpful for managing how highly regulated data is used on the hugely convenient yet potentially problematic mobile devices that lots of professionals now need for work.
Let’s start off with a quick look at HIPAA.
The background and meaning of HIPAA
- The Health Insurance Portability and Accountability Act of 1996 (HIPAA) introduced the first generally binding set of security standards and requirements for protecting Electronic Protected Health Information (e-PHI). The introduction of HIPAA coincided with the first serious moves to paperless records in everyday healthcare operations.
- HIPAA created a mandate for the Secretary of the U.S. Department of Health and Human Services (HHS) to impose regulations for maintaining the privacy and security of health data.
- The aforementioned regulations became known as the HIPAA Privacy Rule and the HIPAA Security Rule.
- Notably, HIPAA defines steep civil and criminal penalties for violations, making data handling a serious matter, even for individuals involved. Here’s one example of a settlement related to a recent data breach case.
- The Security Rule concerns health plans, health care clearinghouses, all health care providers that transmit e-PHI. These are referred to as covered entities.
- The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.
- Among several other functions, the Privacy Rule defines ‘business associates’ of covered entities as a role for service providers, consultants, attorneys and others who need to come into contact with e-PHI. Chains of business associate responsibility is possible as functions are outsourced further.
Where MDM can help with the HIPAA Privacy and Security rules
1. Passcodes and screen locks are your first line of defense
Computer systems, mobiles included, usually rely on verifying the identities of the intended users of a device or data with passwords and personal identification numbers (PINs). Asking users to identify themselves is the first thing you can do to prevent access, and mobile devices use passcodes, PINs and other types of screen locks.
Using Miradore, you can enforce the passcodes on devices and follow the status of the policy from the dashboard reports, to spot violations.
2. Don’t leave data lying around without encryption
Encryption transforms data into a state where it can be restored to a readable form only by using the correct key. With computers, we talk about different use cases for encryption: for data at rest and in motion. Data at rest refers to data on storage devices. Luckily, many mobile devices offer strong protection. For example, Apple iPhone and iPads activate storage encryption when a screen passcode is enabled.
Using Miradore, you can enforce encryption of the storage media used on Android devices.
3. Prepare a routine for erasing all data on lost and decommissioned hardware
Regardless of whether a lost device is encrypted or not, it’s best to make sure no data stays on that memory card forever. A determined adversary who knows the passcode or has special forensic tools at their disposal could try to break into a phone. A powered-on phone might also reveal information from functionality like lock screen notifications.
Then, there’s expected device lifecycle management. Naturally, remote wiping can be used to help you reassign, recycle or resell devices, once they no longer fit the requirements of your organization.
By adding remote wiping capabilities to your arsenal, you have the option to properly wash your hands of lost devices without worry.
With Miradore, you can remotely wipe and delete all data stored on devices. Miradore also allows for location tracking of devices, at set intervals.
4. Take control of functionality and applications to control the risk of leaking data
Most people love quick and convenient file sharing apps. But if you’re handling personal health data, you owe it to the law and professional ethics to protect against this data finding its way to places you haven’t secured. Phones also have sensors that may reveal data.
Parts of a solution can involve white/blacklisting of apps and toggling entire features on the device according to your needs. The result is an environment with less porous, leaky surfaces.
Miradore allows you to blacklist file sharing applications. Other possibilities include posing limits on device functionality, such as disabling the camera, browser features and wireless file sharing (and much more). You can also separate business and personal data with Android for Work to make sure business and personal data don’t mix.
5. Make sure software is up to date and devices protected
Software updates are one of the most straightforward, yet time-consuming and sometimes complicated tasks in IT security. With updates installed, you’re protected against known vulnerabilities in software. However, keeping track of updates can be time consuming and disruptive. You’d want help with that when the number of devices gets up there.
On certain mobile devices, it might also make sense to install traditional tools like firewalls and anti-malware software to add a layer of up-to-date intelligence on known threats. Remember: modern malware not only leaks data but often encrypts user data and requires a ransom in Bitcoin to be paid for decryption.
Miradore can be used to deploy security software to your devices as well as delivering updates.
6. Look into apps before installing
Apps defined the modern smartphone almost a decade ago, and are now essential to how we interact with our handheld supercomputers.
Yet, apps can accumulate a lot of information that can be sent to third parties. Apps can result in other undesired behaviors, starting with battery drain and wasting data plans. Additionally, Android phones may allow unlimited installs of application packages downloaded anywhere, without any regard for authenticity and safety. It can be a good idea to keep an eye on what’s installed on the smartphones in your organization.
One use case for Miradore is to regularly audit installed apps using Miradore Report Builder. When needed, you may uninstall apps using Miradore, and, as mentioned, white- or blacklist apps.
7. Small devices need to make up for lacking physical security
Although mobile devices put instant access to information in the palms of our hands, they are easily lost or stolen. In comparison, workstations tend to be behind at least a few locked doors. Servers are even better protected, sometimes in bunkers with armed guards.
As preventive actions, you could enforce the use of passcode and encryption of data on mobile devices. In case a device is lost, you can track the location of the device and also wipe the device remotely.
8. Employ adequate security to send or receive health information on wireless networks
Public Wi-Fi networks can be an easy way for unauthorized users to intercept information. You can protect and secure health information by not sending or receiving such data when connected to a public Wi-Fi network, unless you use a secure, encrypted connection.
Miradore can help ensure network security with efficient configuration profiles that can be pushed out to devices. Deploying VPN configurations, regular Wi-Fi passwords, and WPA2 Enterprise keys and certificates helps your IT organization adhere to sound network hygiene and segmentation, both on-premise and out in the world.
Disclaimer
This document is not a complete guide to reaching compliance with regulations like HIPAA or local state laws. In fact, it’s unlikely anyone could give binding, yet quick advice on achieving compliance. Please seek legal counsel and specific technical expertise to learn the best ways to comply in your case.
Sources