Skip Links

With BYOD, data breaches just waiting to happen

Smartphone insecurity means healthcare patient information, for one, remains at high risk, studies find

By Taylor Armerding, CSO
December 12, 2012 08:05 AM ET

Page 2 of 2

And even if email is used only for internal communications, and not with patients, "all those emails with patient information end up in your inbox. Your inbox is then replicated to your smartphone," Gross wrote.

If the phone is then lost or stolen, the patient data is breached. The Ponemon study said the combined cost of data breaches to the healthcare industry is nearly $7 billion annually.

Gross said that at a minimum organizations should limit the amount of patient information in emails, mandate a start-up password plus an inactivity timeout, and require data encryption.

Troy Gill, senior security analyst at AppRiver, said technology is available today for most devices to tackle key security issues. "Enforcement of password locking and remote data wipe are critical -- both of which can be achieved through [Microsoft] ActiveSync or BES [BlackBerry Enterprise Server], as well as third-party [Mobile Device Management] solutions," he said.

Gill said another key step would help: "Corporations should require a VPN [Virtual Private Network] connection when accessing their networks from any device.

"And, since most of the mobile malware that is being discovered lately has been coming in the form of malicious app installations, companies may consider limiting the types of apps that can be used on a company device," he said.

Chris Gray, Accuvant LABS practice manager, agreed that remote wiping capability is critical. "[It] can not only prevent data loss but also provide organizations with the ability to assure their management that the loss event does not require further legal or compliance mitigations."

Chris Petersen, CTO of LogRhythm, is not surprised that smaller organizations are much more vulnerable to data breaches. "Many smaller practices barely have a full-time IT staff much less someone focused on security," he said. "They should look to service providers and [resellers] that can recommend technology and approaches that reduce risk with a cost they can afford. Fortunately there are a lot of good solutions, many of them affordable."

But until they can bridge that security gap, using personal devices at work can be too dangerous. "They might be well served to ban BYOD," he said.

All of the experts agree that smartphones will continue to be lost and stolen. "There is no fix for this," Petersen said. "If organizations don't have the proper technical controls in place, they will be helpless when it comes to ensuring a lot device doesn't mean lost personal information."

Gray said the loss of mobile devices is a given, and that organizations should develop a multi-tier approach to dealing with this issue, that includes encryption, remote wiping and educating employees to report a loss or theft immediately.

Gill agreed, noting what's at stake. "It's much more cost-effective to make sure you have an effective way to protect the data that's on them, which in most cases is far more valuable than the devices themselves."

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News