Written by: John Lynn
Guest Post: Hayden Hartland works at Spearstone, makers of Spearstone’s DiskAgent offering which provides a multi-platform approach to smartphone security by allowing lock, data-wipe, and GPS-tracking from any web-browser along with online backup for your business.
Breathtaking advances in smartphone capabilities are changing the ways we work and live. In their latest forms, phones such as the iPhone, Android, Blackberry, Windows Phone, Symbian, and Palm are beginning to rival, and in several areas (think GPS, camera and video) exceed the capabilities of laptops and desktops.
Increasingly, we email, keep contacts, track tasks and appointments, browse the internet, capture family moments, connect with friends, shop, and even run powerful business apps from our hand-held do-it-alls. No wonder then that surveys show some people giving up computers altogether for smartphones. Trends indicate smartphone sales and usage will exceed that of laptops in the next five years. Analysts describe a future where Smartphones that dock to keyboards and monitors obsolesce the laptop altogether.
The problem is that while smartphones are leapfrogging laptops and desktops in utility and connectivity, they have introduced security risks that too few take seriously. Unlike desktops and laptops where some of the biggest risks lie in viruses, and the eventual failure of spinning hard drives, the biggest risk with a smartphone is the loss and exposure of the information you store on it.
More than 5,000 smartphones are lost or stolen each day. Most smartphones hold thousands of confidential records – patient lists, emails, documents, medical records, patient payment records, and so on – yet there is little or no ability to prevent their compromise if your phone is lost or stolen. Many were carried by healthcare professionals (doctors, nurses, dentists, office managers, billing providers, support staff, and so on) whose information represents real risk to their practices and patients if compromised.
Next time you notice a staff member, equipment rep, supply rep or any BAA using a smartphone, consider asking, “Are our emails accessible on that phone?” and “If you lose it, can anyone access them on the phone?” If you are a medical professional carrying a smartphone you need protection because odds are that eventually you will lose your phone. Furthermore, HIPAA, the FTC and state consumer organizations require notification of all patients of a data breach (not exactly good for any practice or healthcare business).
Current phones and typical user practices do a poor job of safeguarding your confidential information. While many smartphones can require a password or PIN number to use them, few of us can tolerate the hassle of actually using one. We simply use our phones too frequently to put up with it. Yet without one, we’re completely exposed. And while a phone password may protect your information in the case of loss, it can’t stop someone with phone hacking skills who wants to access your information.
Here are some practical tips you can employ to reduce your risks:
- Create a passcode for your phone. If you (like me) hate being pestered by it, set it to be required after 4 or 8 hours, so that you only need to enter it once or twice a day. If your phone is stolen and locked the thief will either need to hack your phone or reset the phone to factory settings thereby removing all the data in the process.
- Create a splash screen when your phone is locked displaying a contact phone number or email address and reward value. Consider etching your name and contact information somewhere on the phone.
- Remove sensitive information from your phone as soon as possible.
- Write down your IMEI (International Mobile Equipment Identity) number. If your phone is stolen, call your carrier immediately and ask them to deactivate the IMEI number and the phone will be rendered inoperable for calling on all networks. This ensures the phone is unusable although it doesn’t protect any unencrypted information on your phone.
Fortunately, a few larger clinics and hospitals are beginning to address these concerns. If yours is a larger practice with a Blackberry Enterprise server and or Exchange Mail Server and your users exclusively use the corresponding phones (Blackberries, and Windows Mobile devices), you can remotely remove emails and some other sensitive information in the event of a loss or theft. Other alternatives are to deploy encryption software or use the expensive MobileMe services provided by Apple. For other organizations, Spearstone’s DiskAgent offering provides a multi-platform approach to smartphone security by allowing lock, data-wipe, and GPS-tracking from any web-browser.