As a pentester, it’s always a different story when we are the ones writing the report. Being on the receiving end is stressful, even more so when you throw compliance into the mix. I figured since I have been fielding questions left and right about what to do when it comes to mobile applications and HIPAA compliance, I would simply write a blog post on the topic.
While there are plenty of steps you can take to protect and secure personal health information (PHI) on mobile devices, they typically revolve around things that you have control of, such as using passwords, firewalls, and encryption. An organization that has taken extra steps with the implementation of an MDM or similar now has control over remote wipes of devices if lost or stolen, software updates, etc...but when we talk about the apps that reside on these devices, how are you to know if they are behaving badly? And what does ‘bad behavior’ even mean?
Now, most healthcare organizations should be discouraging any transmission of PHI via text messages, however, there are some applications which have the permission to access and read your texts, a huge no-no for healthcare related organizations. Depending on the level of device control, you might be unaware of applications that have access to your contacts – via the SIM card or device! Even when organizations try to containerize corporate email access within an app (Good, etc), many employees still have business contacts in their personal contact list. Seeing is believing, so be sure to alert employees that their contacts are being accessed – maybe that will get them to think twice about whether or not they want an application to access their contacts.
Bad behavior doesn’t just mean permissions which pose an immediate threat to PHI; bad behavior can also refer to the collection of data with the intent of piecing together the bigger picture for a more sophisticated attack – phishing/social engineering. With all the talk these days surrounding privacy and spying on phone calls, it comes as no surprise that it’s not just the government who’s utilizing these available channels. An application could just as easily contain code capable of recording and storing voice calls without user knowledge, but by downloading the application and running it on your device, you basically said “sure, go ahead, listen in!”. Why should an application that was created specifically for relaying sports scores, or shooting apples at pigs, or reading the news be able to perform activities like those mentioned above? Because you let them.
These are just a few behaviors an enterprise (or little guy!) is now forced to consider when implementing an MDM (with or without an enterprise app store) or just a BYOD Policy in general. No one ever said this was going to be easy, and it’s no secret that security comes at a price. Now it’s just up to you and your organization to answer ‘What it’s worth to you?’.
Whether HIPAA is your driving factor or not, it’s always going to be more expensive to UN-embarrass yourself than it is to just be proactive.
Keep fighting the good fight my friends!