As head of a Michigan-based cybersecurity firm, Larry Ponemon has studied data breaches including the hacking of Target credit cards, and Chinese and other international cyber espionage. But his favorite incident, he says, was small, avoidable and probably victimless.
It involved a doctor and a tablet (tablet as in iPad, not medication). The physician’s health-care network had just upgraded its data storage system, and he was given an iPad that he could carry from the hospital to his home in which he collected patient information that would go directly to a cloud-based bank of medical records.
Then, a few months ago, he lost the tablet.
Even more unfortunately, the device wasn’t protected by a password. That gave anyone who found (or had stolen) it access to what Ponemon calls “a treasure trove” of personal data on as many as 1 million patients.
Why no password? “Doctors and clinicians have a history of not using passwords because they’re busy people,” Ponemon said. The health-care network’s IT people had “jailbroken” the tablet’s software to eliminate its password requirement, making it easier for the doctor to use. And easier for criminals to abuse.
That illustrates a conflict of interest not only in the health-care sector, but throughout the worlds of business and government. Management loves that it can get flexibility, mobility and efficiency out of new technology, and that tablets and smartphones mean employees can work from home — or anywhere.
But every mobile device is a potential chink in the armor of an entire organization; any security lapse places at risk not just the device owner’s private data, but potentially sensitive information about his or her company and other patients, customers or clients the company serves.
Employees often take shortcuts for the sake of convenience. And often companies, which benefit from increased productivity that mobile devices give their employees, don’t effectively install or enforce security measures.
In 2013, Verizon analyzed more than 63,000 “security incidents” in 95 countries and found that the loss or theft of laptops, USB drives, phones and other devices, coupled with human errors — including sending sensitive e-mail to the wrong address or uploading private data to a public server — were responsible for 39 percent of the incidents. In its annual Data Breach Investigations Report, Verizon said that many of the rest of the incidents were malicious, but only 2 percent resulted in someone accessing the stolen data for criminal purposes.
The doctor who lost his tablet did have a “kill switch” that was activated when he reported it missing. That meant the hospital network would be alerted if the device was turned on.
Health-care records contain valuable information: the patient’s name, Social Security number and date of birth. So anyone who got access to the records could, for instance, use that information to try to open a line of credit, submit fake claims for benefits, or sell the data to others for those purposes.
“So many of the breaches we study are so complicated,” Ponemon said. “In the case of the doctor and the iPad, it was such a low-tech issue, but had potentially very significant ramifications.”
The quality of the data may be one reason the health-care sector suffered the largest share of cyberattacks in 2013, more than any other sector such as retail, education or finance, according to a report by the Identity Theft Resource Center, a nonprofit organization that tracks data theft.
Two laptops stolen from a New Jersey office of medical insurer Horizon Blue Cross Blue Shield last year contained unencrypted data on more than 800,000 patients. No incidents have been reported as fraud, but patients were offered free credit monitoring and identity theft protection services.
Last month, the Cedars-Sinai Medical Center in Los Angeles disclosed that the unencrypted records of 33,000 patients had been stored on an employee’s laptop, which was stolen in a burglary over the summer. The unprotected information included names, driver’s license numbers and Social Security numbers.
Despite the increasing use of mobile devices outside the workplace, few organizations have clear policies for data security, a recent Ponemon Institute survey found. Of the 618 IT managers surveyed for the report, 29 percent said their organizations had no strategy to ensure mobile device security. Others said their strategies covered only certain types of devices or operating systems.
One method that organizations use to secure mobile devices is known as “sandboxing.” That means employees are allowed to work only within secure, walled-off sectors — or sandboxes — when using mobile devices.
Another approach is “virtualization,” in which the mobile device doesn’t store any information while performing a task. Virtualization software uses the mobile device the way a projector uses a screen: While an employee is logged on, information from the company’s servers is “projected” onto the screen, but none of it is stored there. When the task is completed, it’s as though the projector has been switched off — so if the device is hacked, there won’t be any information to steal.
David Wennergren, senior vice president of technology policy at the Professional Services Council, a trade group, said the big question now is, “How do we allow people to share the information they need versus protecting privacy and security? The smart money is on finding the sweet spot between security provisions and convenience.”
More from Capital Business: