HIPAA Compliance Strategies

Featured Health Business Daily Story September 17, 2008

Portable Devices Pose Serious Challenges to Protecting Patient Privacy

Reprinted from REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions.

With the news that a crime ring has been caught after trying what amounts to drive-by hacking, covered entities (CEs) should be aware that their wireless networks and portable devices such as iPhones and BlackBerrys are not necessarily secure, experts say.

Nearly a dozen people have been charged with various counts of computer intrusion, fraud and identity theft, among other charges, for their parts in a crime ring that allegedly hacked into nine major retailers' wireless computer networks. The feds allege that the conspirators stole credit and debit card numbers through "wardriving," which involves one person who drives a car around while at least one passenger in the car attempts to gain access to a wireless network via a laptop computer.

Once inside the networks, the hackers install "sniffer" programs to capture information, the feds explain. In this case, the conspirators concealed the data they obtained in encrypted computer servers located in Eastern Europe. They sold some of the credit card numbers to other criminals, the feds allege.

CEs could be targeted in similar schemes and should ensure that their wireless networks are adequately encrypted, says Shane McGee, a Washington, D.C.-based attorney with Sonnenschein Nath and Rosenthal. "More and more, CEs are using wireless because it allows mobility…and hopefully CEs' networks are designed and configured using stronger encryption protocols."

"Let's hope they are not as accessible" as the retail stores, says McGee. "Let's hope the HIPAA security rule has educated them enough that they know they should have conducted a risk assessment and used that to secure their wireless network."

CEs should have already converted from using the Wired Equivalent Privacy (WEP) system of encryption to the more secure Wi-Fi Protected Access (WPA) protocol. WEP encryption was more common up until about a year ago, when researchers found weaknesses in it, McGee explains.

In addition, CEs should remind staff members to use portable devices carefully. One of two nightmares could happen, he says. "If a doctor is in a public place and is using an unsecured network to transmit PHI [i.e., protedcted health information], then yes, people could 'sniff' that traffic if it is not encrypted or if it is encrypted with a weaker method," he says. Piggybacking on a signal to get into a laptop would be a lot more difficult, but can be done so that perpetrators can look at the traffic coming from the device, McGee adds.

Use of portable devices like laptops and iPhones falls under HIPAA's workstation use and security policies, so CEs should remind staff members about where they can or cannot use these devices. "An airport is a horrible place to use these," says McGee. "Anyone can log in [for wireless access] with a credit card and could intercept information." Also, employees should use the locking features of the devices so no one can open them without a password. And CEs should go over what kind of information is acceptable to transmit, McGee says.

'Bad Guys' Are Always On Duty

Wardriving is "a huge threat" to CEs, says Abner Weintraub, president of the HIPAA Group. "Part of the problem is just the proliferation of wireless connections" to devices like printers and headsets, he says. And "the technology has been put out there before the security risks have become part of the mindset."

Plus "bad guys" are on duty 24/7, but the employees making up organizations are on duty only from 9 to 5, Weintraub says. "Health care data, as a subset of personal data, has value" and anything they can use to commit fraud has a black market - not just celebrities' medical records that can be sold to tabloids, he points out.

Weintraub says he teaches CEs that an individual's medical records are equivalent to their wallet. If they found someone's wallet in their office, they instinctively would know not to leave it on a countertop, but would lock it in a drawer until the owner came back for it. "But we tend not to have the same sort of gut reaction and understanding that we have to have the same protections of our medical records," he says.

There are risks with portable devices that are not being sufficiently dealt with, Weintraub says. Employees are still leaving laptops and PDAs in open view on car seats, etc. "It is a technology problem, but a human issue. That's part of the challenge here. We are trying to change behavior and that is not easy to do," he says. "We don't need new technology; we need to raise awareness and enforce the rules that exist already."

And using them in public could be a danger too without the proper precautions. Weintraub refers to an August report in the San Francisco Chronicle that followed wardrivers around while they worked (the act of detecting a wireless network is not a crime, but accessing it is, the Chronicle explains). The report found more than 2,600 individual open networks in the Bay Area during a five-hour drive. The networks came from homes, businesses, a university, a federal building, a city hall, and along the street and other public areas, the Chronicle found. About one-third of them showed no encryption. And "hackers are always 10 steps ahead," Weintraub warns.

Advertise With AIS

Privacy

Site Map