6218 Mobile Devices- Are They Secure Enough for our Patient's Data?

1. 6218 Mobile Devices- Are They Secure Enough for our Patient's Data? Presented By Aaron Hendriks, CISSP Other: Employee of University Health Network, Toronto, Ontario

2. Faculty/Presenter Disclosure • Faculty: Aaron Hendriks • Relationships with commercial interests: • Not Applicable

3. Disclosure of Commercial Support • No commercial support

4. Agenda • Objective • Requirements • Testing • Results • Conclusions • Alternatives

5. Objective • Mobile devices are becoming a common tool for providing patient care. • Interacting with patients • Inputs for information • Patient chart reference • Video conferencing • How do we protect patient data on highly portable devices designed for open personal communications?

6. Requirements • By Law or Provincial Order • PHIPA • All portable media must be encrypted • All systems that host PHI must have access controls

7. Requirements • Mandated by UHN • Passwords should be 6-8 characters and complex • Systems should prevent reuse of passwords • We should be able to audit compliance controls • Compliance should be automated • System wipe, both remote and after failed logins • We should be able to locate devices • Device backups should be password protected and encrypted

8. Testing Devices • To ensure that devices can secure data according to UHN’s mobile device requirements we had to test the most common devices asked for or used by UHN staff. All devices were tested in Bring Your Own (BYO) configurations. • We chose: • Apple iPad 2/3 and iPhone 4/5 • Android phones • Galaxy S3 and Galaxy Nexus • Android tablet • Galaxy Tab

9. Methods • Configuration: All devices were given the most secure configuration possible. • The android devices were configured with complex passcodes and fully encrypted. • The iOS devices were given complex passcodes. • Test devices for data access • From locked state we used hacking tools to attempt access to information with stock and jail broken devices.

10. Examples of Test Scenarios • Try to get into device with brute force password attack • Try to jailbreak device without device password and then get to data • Try to access information on a jail-broken/rooted device • Access data from computer, that has accessed the device previously in an unlocked state, when the device is locked.

11. Results Android • The Android devices are incredibly hard to access any data on the device. • Full encryption • Unfortunately the add on storage cards are usually not encrypted. • The biggest issue with Android is its applications • Apps may be sending or accessing information without the users knowledge. • Apps from outside the Google market can be installed • Rooting can be hard to detect and will thwart all security • Backups are not protected by default • Android OS wrapper can be an issue

12. Results iOS • iOS by default only encrypts the OS, email and apps that are set to secure the data. • All other areas of an iOS device are not encrypted • Controlling applications the user installs is difficult • Cannot prevent install or remove prohibited apps • Cannot prevent Cloud backups • Access to a PC that has had the unlocked unit plugged in • This will thwart all security on the device. • Jail-breaking a device removes all security

13. Conclusions • What: • Secure passwords required • Encryption • Ensure Devices are not jail-broken or rooted • Dangerous/unsecure applications are removed or limited

14. Controls • How: • MDM (Mobile Device Management) • Policies/ controls • Data wipe acceptance • Limitations on actions (apps, who can use, cloud sync) • Training • Application development standards • Do not allow BYO? • Do not allow sharing of devices?

15. Alternatives • Use presentation models for all access to systems • Remote Desktop solutions • Application delivery • Web based applications

16. Contact information Aaron Hendriks aaron.hendriks@uhn.ca