As more healthcare systems rely on BYOD mobile strategies, it’s important to remember that most conventional wi-fi connections are about as secure as a kid’s piggy bank. Hackers are adept at creating fake “free wi-fi” accounts at airports, hotels and coffeehouses – and now, even on planes.
If a physician loses a laptop, everyone goes on high alert. But patient data that’s stolen via wi-fi often goes unreported, even for months – long after the damage has been done.
Here’s how it usually works:
The person turns on a mobile device at an airport, or perhaps on a plane or at a coffeehouse across the street from an academic medical center. The person sees a harmless looking connection, often named something like “Free Wi-Fi.” Worse still, the hacker could take on the name of a legitimate connection that's already known and trusted, but is actually an ad hoc network or a peer-to-peer connection that lets the user surf the Web through the hacker’s computer, or even allows the hacker direct access to the user’s own computer files. While connected, hackers make a beeline for credit card info and passwords.
But they also know the value of patient health records on the black market. The danger in wireless data compromise is that it happens so passively, without the victim ever knowing it occurred.
The Open Security Foundation tracks major security breaches on its website datalossdb.com, and not surprisingly, healthcare organizations are almost always in the top 10. According to the website, in recent months Houston Methodist Hospital lost 1,300 patient records and Horizon Blue Cross Blue Shield of New Jersey lost a whopping 840,000. Obviously, nobody wants the fines and bad publicity stemming from major breaches. According to current industry statistics by the respected Ponemon Institute, the cost of a healthcare record breach was $240 per record. Costs add up quickly at that rate.
Although it’s unlikely that either of the aforementioned breaches involved wi-fi, anything above the threshold of 500 patient records requires immediate public notification. The truth about wireless access is that breaches occurring in this manner may never be traced back to the source of compromise since it happens so passively.
But there’s a simple way to keep wireless breaches from happening in the first place: Provide your mobile staff with mi-fi devices. These personally assigned, palm-sized gizmos are actually wireless routers that act as secure mobile hotspots, encrypting all key data. They are effectively travelling wi-fi devices that ensure that no matter where your employees are, they have personal wi-fi wherever they go.
Using mi-fi, a nurse who visits a patient’s home and enters data on her tablet is now as confident of a secure connection as a doctor entering notes in an EHR. And a physician can text another doctor from a Starbucks without worrying about whether would-be HIPAA thieves are hacking your account while you're enjoying a latte.
Equipping your mobile staff with mi-fi devices is a vital part of a wireless security program that also requires a robust wireless intrusion prevention system (WIPS). That’s just one of many basic steps that must be taken to ensure what happens on the tablet stays on the tablet.
Joseph Johnson leads the information security consulting practice at W Squared, based in Brentwood, Tenn.
