In this latest installment about risk analysis we continue the difficult quest to quantify risk of data breach. Hospitals and physician practices are conducting computer security risk analyses for HIPAA compliance and for meaningful use (per HIPAA Security 45 CFR 164.308(a)(1)) and must assess the threats and likelihood of occurrence.
Today the Wall Street Journal reports a cooperative effort of the FCC, Verizon, AT&T, Sprint and T-Mobile to develop a national database of stolen cell phones in response to an “explosion of thefts” nationwide. The article cites an internal NYC police department report indicating 21,000 incidents of mobile phone thefts in the first 10 months of 2011. Based on a number of assumptions, this would represent roughly a 1% chance of theft per person per year. This presumably is based on police reports of theft.
The fact that this nationwide cooperative effort is underway is evidence of the significant and growing risk of smartphone theft.
Mobile security firm Lookout, Inc. has published a survey quantifying cell phone loss. Lookout offers a security app for 15 million iPhone and Android users. Their product includes a phone locator feature which utilizes the smartphone’s GPS to locate a lost phone for the owner.
The company recently published statistics on usage of their phone locator feature. After “filtering” the usage to eliminate tests, their research reported that users lose their phones about once per year, or almost a 100% chance of loss once per year. However, their definition of loss is unclear and might better be described as “misplaced,” because presumably many of these phones are recovered by the users. Further, their reported research methodology is vague. Nonetheless, interested readers might enjoy their feature “Mobile Lost and Found” which includes additional data with an interactive web application.
A HIPAA risk analysis should consider theft, loss, and temporarily misplaced devices. The available statistics indicate significant risks. Consequently, for organizations that use smartphones, the following controls are appropriate:
- Security training for users
- Policies requiring encryption for any apps that store data on the phones, including email
- Policies regarding use of employee-owned devices on the company network
- Policies that limit storing of passwords to company networks on smartphones
- Anti-malware software for smartphones
- Technical tools to track and inventory devices that connect with the company network
- Remote locate and wipe capabilities for lost or stolen devices
