Presentation on theme: "6218 Mobile Devices- Are They Secure Enough for our Patient's Data? Presented By Aaron Hendriks, CISSP Other: Employee of University Health Network, Toronto,"— Presentation transcript:
6218 Mobile Devices- Are They Secure Enough for our Patient's Data? Presented By Aaron Hendriks, CISSP Other: Employee of University Health Network, Toronto, Ontario
Objective Mobile devices are becoming a common tool for providing patient care. –Interacting with patients –Inputs for information –Patient chart reference –Video conferencing How do we protect patient data on highly portable devices designed for open personal communications?
Requirements By Law or Provincial Order –PHIPA –All portable media must be encrypted –All systems that host PHI must have access controls
Requirements Mandated by UHN –Passwords should be 6-8 characters and complex –Systems should prevent reuse of passwords –We should be able to audit compliance controls Compliance should be automated –System wipe, both remote and after failed logins –We should be able to locate devices –Device backups should be password protected and encrypted
Testing Devices To ensure that devices can secure data according to UHN’s mobile device requirements we had to test the most common devices asked for or used by UHN staff. All devices were tested in Bring Your Own (BYO) configurations. –We chose: Apple iPad 2/3 and iPhone 4/5 Android phones –Galaxy S3 and Galaxy Nexus Android tablet –Galaxy Tab
Methods Configuration: All devices were given the most secure configuration possible. –The android devices were configured with complex passcodes and fully encrypted. –The iOS devices were given complex passcodes. Test devices for data access –From locked state we used hacking tools to attempt access to information with stock and jail broken devices.
Examples of Test Scenarios Try to get into device with brute force password attack Try to jailbreak device without device password and then get to data Try to access information on a jail- broken/rooted device Access data from computer, that has accessed the device previously in an unlocked state, when the device is locked.
Results Android The Android devices are incredibly hard to access any data on the device. –Full encryption Unfortunately the add on storage cards are usually not encrypted. The biggest issue with Android is its applications –Apps may be sending or accessing information without the users knowledge. –Apps from outside the Google market can be installed Rooting can be hard to detect and will thwart all security Backups are not protected by default Android OS wrapper can be an issue
Results iOS iOS by default only encrypts the OS, and apps that are set to secure the data. –All other areas of an iOS device are not encrypted Controlling applications the user installs is difficult –Cannot prevent install or remove prohibited apps Cannot prevent Cloud backups Access to a PC that has had the unlocked unit plugged in –This will thwart all security on the device. Jail-breaking a device removes all security
Conclusions What: –Secure passwords required –Encryption –Ensure Devices are not jail-broken or rooted –Dangerous/unsecure applications are removed or limited
Controls How: –MDM (Mobile Device Management) –Policies/ controls Data wipe acceptance Limitations on actions (apps, who can use, cloud sync) –Training –Application development standards –Do not allow BYO? –Do not allow sharing of devices?
Alternatives Use presentation models for all access to systems –Remote Desktop solutions –Application delivery –Web based applications