Mobile Devices

How about mobile devices? This includes smartphones, tablets, smartwatches and other devices. It can even include wearables like a Fitbit. When these are connected to an office network, they can introduce risk. One concept you run across rather frequently is something called BYOD, which stands for bring your own device. This is pretty common. This is where if someone wants to access the network from their own phone or tablet, they can do so. This is risky, honestly. It's easier to have what's called company owned personally enabled, which is COPE, as it's called, where basically you're supplying people with the tablets they can use for the work related to the practice. If, on the other hand you are going the BYOD route, you want to make sure you have minimum standards before any device can connect to the office network and make sure these standards are written down.


Because once again, a) you want to make sure it's consistent, and b), you want to have something to point to in case there's an OCR audit coming from Health and Human Services. Always best avoided, but be ready if it does happen. So included in those standards, you want to make sure that any phone which is connecting to your network is using up-to-date operating system software. It's password or passcode enabled. Passwords are a little better because they're longer so they're harder to break rather than a four digit passcode. But I digress. You also want to make sure it's got basically a shutoff feature where an effective no one's using the phone for a set period of time, it automatically turns off or goes to sleep. The reason for that is let's say you lose your phone. If somebody picks it up and it doesn't have the sleep mode on it, they can just start using it.


Anything you're logged into, they're you as far as the Internet is concerned. If, on the other hand, it's asleep, they have to use the passcode or password to get into the phone. Also, if possible, you want to make sure that security software is installed. Most phones currently are encrypted by default. Definitely want to make sure that's the case. If it's an older device in particular, you want to make sure the encryption is turned on which can be done through the settings. And you also want to make sure it has what's called remote wipe capability, which in effect - sometimes it's built in with Find my iPhone, for example - or you can get programs that have it like Find my Droid for Android based phones. The idea with that is you can locate a lost phone or you can set it up where your phone's been lost (hopefully you've backed it up elsewhere. You should always do that with your phones), but since it's lost and potentially has data on it, it's encrypted, you remote wipe it, it effectively resets the phone to its original factory settings. That way you're a lot safer because whoever is holding it basically now is holding a phone with no data on it. And with actually some of the newer ones, they're holding a phone that doesn't work anymore. But I digress. Also you want to make sure, again, if you're accessing the network from outside, you're using a virtual private network or VPN, which again is a sort of a secure tunnel into your network. Just a better way to connect. Now one other thing you can use which you can keep an eye on is mobile device management software. There's a lot of different options. I'll put a link to some review sites in the notes.


You'll see if one is a good fit for you. It can detect a lot of these things and see if they're happening. Because one of the things mentioned for the minimum standards, make sure that a phone connecting to your network hasn't been altered. This is a process referred to as jailbreaking for Apple based devices and rooting for Android based devices. That's basically where the owner of the phone overrides the software on the phone so they can do other stuff that the phone might not allow like say allowing apps that are outside the app store's normal parameters, that type of thing, or other functionality that the phone normally wouldn't be able to do. It's not as common nowadays, but when you do see it, it not only takes out the operating system on the phone, it also takes out all the security settings. So you really don't want something like that connected to your network.


So let's talk a little bit about primary threats to mobile devices. First and foremost, loss and theft. You should always be basically ready to have your phone stolen. This is why I mentioned all those security measures before. Make sure your data is backed up. If it does get stolen, you basically can wipe the device, repopulate a new device or if you get the original back you can put the data right back on it and use it. Another thing to look at are apps and permissions because a lot of the apps you're getting you even through an app store or, if possible, not a third party app place because those tend not to be as safe. Avoid fully functional free versions of apps that are normally paid from any sort of "off brand" app marketplace. This is what I mean by going with other app areas.


Generally those are just loaded up with malware and yeah, lots of malware does target mobile operating systems. Also with Android devices in particular, in the settings is something called "allow downloads from unknown sources". That's a checkbox that is unchecked by default. Leave it that way because that way that keeps other stuff from getting into your system automatically if it's not coming through Google's app store. Another thing to realize is basically a modern smartphone is pretty much a handheld computer. So all the dangers with a regular computer, including all the risks with web browsing, they're all there. Another related thing, which also is a risk for regular computers, is unsecured WiFi connections are what are called rogue hotspots. And keep in mind something that looks legit, something like you're in an airport, "Name of the Airport Free WiFi." It's really easy to fake that.


So just keep an eye out for that. If you don't know the network, it's never a good idea to connect to it. So in terms of protecting your mobile device, make sure you're using the most current operating system and update it whenever updates are available. Androids have a little bit of a problem with this because since it's basically an operating system from Alphabet/Google, which is now sent out to the different manufacturers, the manufacturers alter it a bit, you get different versions of it and you get what's called fragmentation. We don't have sort of a pure version of it except on Google's own devices, which used to be called Nexus devices. The current ones are called Pixels. Those tend to be a little bit better because from a security standpoint, just because they get updates a little faster and they tend to be more locked down than the other ones which have other features. Because basically what'll happen is Google will send out a security update, it goes to the manufacturer, it goes to the owner of the phone and take step by step and it just winds up getting updated slower. Now, as we mentioned earlier, make sure to enable your passcode lock or PIN and it's always best to use a longer alphanumeric password which they all offer and you can also set it to autowipe after a set number of incorrect passcode or password attempts. I mean don't set it to something like two, obviously, but if it's something like someone tries it a few times and it doesn't work, it will automatically clear off the phone, which is great if somebody steals it and is trying to figure out your password. Once again download a mobile security app. These are mostly available for Androids.


They're not going to do everything, but at the end of the day they're going to help. Now the remote wiping we mentioned a little bit earlier, have that. Also with that is device tracking software. That's if you genuinely lost it, you can track it down. Now encryption, like I say generally comes with the phone. Make sure if you're backing up your data and once again back up your data, you want to encrypt that backed up data as well. You can also use encryption in terms of the contact you have with the phone. For messaging, there's a wonderful app out there called Signal. It's free, it's encrypted, it's really solid. Some of the more commercial ones like Viber and WhatsApp also offer what's called end-to-end encryption by default. End-to-end just means it encrypts when you send it and it decrypts when they receive it. There's no decrypting in the middle.


Thing is though, once again, they're owned by larger companies who have control of the data. I personally would be a little more comfortable with Signal if you want to send something that's secure. In case it isn't obvious, never ever, ever put PHI on any mobile device unless you absolutely need to do so. There's just no reason to have it and it's really unnecessary risk. So once again, be excessively cautious when you're dealing with those unsecured hotspots we mentioned earlier. Use a VPN app if you can. And generally speaking, just handle mobile devices cautiously. It's a little thing in your pocket, but it's a, it's a great potential for risk.

If your office has a BYOD (bring your own device) program, have minimum (written) standards before ANY device can connect to the office network.

Primary threats to mobile devices:

  • Loss and theft
  • Apps and permissions
  • Web browsing
  • Unsecured Wi-Fi connections and rogue hotspots

How can you protect your mobile devices?

  • Use the most current operating system and update it whenever updates are available
  • Enable your passcode lock/PIN
  • Download a mobile security app (Android)
  • Use remote wiping and device tracking software
  • Back up the data on the device
  • Use encryption (both on phone and for backups)
  • Be aware of access/permission requests when downloading apps
  • Be excessively cautious when dealing with unsecured hotspots
  • Use Mobile data, since it is typically more secure than public Wi-Fi
  • If you need to use public Wi-Fi, use a VPN app