This article is part of a series of blog posts exploring the recommendations and guidance Health & Human Services (HHS) provides to healthcare organizations in its Cybersecurity Best Practices report. For previous articles in the series, click here.
The report on cybersecurity best practices (Report) weighs in on one of the issues many entities find hardest to control – the loss or theft of devices and records. As work travel and remote working continue to increase, so too do the instances when company devices leave campus and become vulnerable to loss and theft. The Report states that from Jan. 1, 2018, to Aug. 31, 2018, covered entities reported 192 incidents of theft, affecting 2,041,668 individuals. Adding further gravity to the impact of theft, stolen laptops are not an insignificant source of Office of Civil Rights (OCR) fines:
- In 2016, OCR levied a $1.55 million fine against a provider because of the theft of a password-protected laptop containing personal health information (PHI) of 9,497 patients.
- In 2017, OCR fined a provider of remote heart monitoring $2.5 million after a laptop containing 1,400 patients’ information was stolen.
- In 2018, a provider was fined $4.3 million for three separate incidents involving theft of a laptop and the loss of two USB drives containing unencrypted data of more than 33,500 patients.
And these are only a sample. The most frustrating feature of these incidents is that theft will continue to happen. Entities must therefore focus on how to mitigate the impact of the theft. Encrypting devices may not be “quick” or “easy” for entities with large information technology (IT) inventory, but it is a surefire way to ensure that the theft will not result in the disclosure of PHI, and thus the impact of the theft will be limited to the cost of replacing the device.
Aside from encryption, the Report provides additional practical steps for entities to mitigate these types of incidents.
For Small, Midsize and Large Entities
Promptly report loss/theft to designated company individuals in order to terminate access to the device and/or network. This recommendation is contingent on the entity implementing proper access management controls. Entities “need to clearly identify all users and maintain audit trails that monitor each user’s access to data, applications, systems, and endpoints” as part of their access management plan. The security controls that support this recommendation include:
- Establishing a unique account for each user.
- Limiting the use of shared or generic accounts.
- Tailoring access to the needs of each user.
- Providing role-based access.
- Configuring systems and endpoints with automatic lock and logoff.
- Implementing single sign-on.
- Implementing multifactor authentication for the cloud.
Maintain a complete, accurate and current asset inventory to mitigate threats, especially the loss and theft of mobile devices such as laptops and USB/thumb drives. An accurate inventory of IT assets will pay dividends both with and apart from a theft. For instance, an entity that is rolling out encryption on all laptops can know whether the deployment is complete only if they’ve checked their list of devices on which encryption was installed against the current inventory list. IT may identify that there are one or two devices that are inventoried but have not received the encryption update. With a thoroughly populated inventory, IT will know to whom the device was issued and can contact that person or department directly to go about finding the device. This may uncover a device that is not working properly and needs patching/decommissioning, or it may reveal a theft or loss, which IT can then begin to mitigate by remotely wiping the device, reviewing access logs and/or employing other containment strategies. Without the inventory, the entity would be unable to determine what happened to the device and what patient information may have been on it (by virtue of user roles and access), and thus may determine that its only option is to notify all patients. To prevent such a drastic outcome, the Report recommends that the following information be captured in the inventory for each device (workstations, laptops, servers, portable drives, mobile devices, tablets and smartphones):
- Asset ID (primary key)
- Host name
- Purchase order
- Operating system
- Media access control (MAC) address
- IP address
- Person deployed to (user)
- User’s last logon
- Purchase date
- Physical location
Define a process with clear accountabilities to clean sensitive data from every device before it is retired, refurbished or resold. The technical volumes provide different technical controls for small and midsize/large entities in support of this recommendation. For small entities, the technical volume recognizes that these entities often use third-party providers that specialize in secure destruction. The technical volume recommends that a small entity’s procedure ensures that the decommissioning of each device is recorded, along with the certification of destruction (where applicable) provided by the service provider.
For midsize/large entities, the technical volume recommends the following procedures:
- Central collection: Entities should collect and store IT assets in a central, locked area until the assets are decommissioned. Workforce members must be trained to turn in any asset no longer in use so that assets can be secured in this central location.
- Central destruction/wipe: Once collected for decommissioning, assets must undergo a secure process to be destroyed or electronically wiped to ensure the device is properly sanitized before leaving the entity’s control. Whether this is done by internal resources or a third-party provider, evidence of destruction and/or wiping should be kept on file for audit purposes.
- Record keeping: Once the asset is wiped or destroyed, the inventory entry for the asset should reflect its status. The asset should not be deleted from the inventory, as it may become relevant at a later stage.
For Midsize and Large Entities
Implement proven and tested data backups, with proven and tested restoration of data. In the context of a lost or stolen device, having a recent, restorable backup of the lost/stolen device can be the difference between notifying an entire subset of an entity’s patient population and providing targeted notification. Without backups, an entity generally does not know what documents were saved on or accessible via a particular device. Relying on a user to recount what has been saved and downloaded to the device since it was issued, and which of that data has been deleted, is dubious. Without backups to identify exactly what was contained on the device, entities are left to take a broad, conservative approach. For instance, if a 3-year-old laptop belonging to a urologist were stolen and the urologist stated that he regularly downloaded MRI images to review offline, the population to notify would be any patient seen by the urologist in the past three years for whom the doctor ordered an MRI.
Implement a safeguards policy for mobile devices, supplemented with ongoing user awareness training on securing these devices. While entities should have policies in place requiring strong passwords for all devices, mobile devices can be harder to control – making idle-time lockouts for mobile devices and training of workforce members on compliance with these directives just as important. Organizations may choose to require workforce members with access to PHI on their mobile devices to download remote-wipe software so that if the device is lost or stolen, mitigation can occur swiftly.
Acquire and use data loss prevention tools. One of the most challenging aspects of data loss prevention (DLP) tools is determining the methodology to be used to identify sensitive information. The methodologies are described in the technical volume on page 48. Whichever method is chosen by the entity, the next step is to determine what data channels should be monitored for potential PHI. For midsize entities, the Report recommends monitoring email, endpoints and the network. For large entities, it recommends that DLP monitoring also include cloud storage, on-site file storage and web-based scanning.
Encrypt data at rest on mobile devices to make it inaccessible to anyone who finds the device. Full disk encryption should be enabled on all devices, not just mobile devices. When cloud-based services are used, the Report recommends enabling native encryption to prevent exposure if the cloud provider is compromised.