Mobile devices pose breach risk, action needed
Many healthcare organizations are not taking the necessary steps to protect sensitive data on mobile devices and in the cloud, according to a recent report from Ponemon Institute, a research organization in Traverse City, MI.
Fifty-four percent of respondents to a survey have had on average five data breach incidents involving the loss or theft of a mobile device containing regulated data, the report says.
The Risk of Regulated Data on Mobile Devices study was intended to assess the risks associated with employees’ access to regulated data through their own or company’s mobile devices and the challenges to ensure compliance with the privacy and data protection laws for regulated data on mobile devices.
"The research reveals that many organizations are in the dark about the need to ensure that the use and access of regulated data on mobile devices is in compliance with data protection laws," the report says. "Many respondents are uncertain or do not know whether these laws apply to the safeguarding of regulated data on mobile devices."
As an example, 67% of respondents say their organization must comply with privacy and data breach laws, yet only 18% believe these laws specify the protection of regulated data on mobile devices. "Such perceptions result in organizations not being in compliance and facing potential regulatory fines and legal action," the researchers concluded.
The findings reveal that regulated data on mobile devices and in the cloud are at risk because of the following conditions that exist in organizations:
- People do not know how much regulated data is on mobile devices used by employees or transferred to cloud-based file-sharing applications.
- Companies do not prevent employees from accessing regulated data using unsecured mobile devices.
- Leaders do not take the risk of having regulated data on mobile devices seriously and, as a result, do not make it a top security priority.
- Companies do not take steps to monitor employees who access and use regulated data on mobile devices.
- Organizations do not make sure employees are aware of the importance of protecting regulated data on mobile devices. Respondents believe that most employees at one time or another circumvent or disable required security settings on their mobile devices.
- Companies do not have the necessary oversight or governance practices in place.
The researchers offer these six recommendations:
- Create awareness throughout the organization that regulated data on mobile devices should be just as protected and secured as other sensitive and confidential information.
- Make sure security policies include guidance on what employees should be doing to protect the regulated data on the mobile devices they use. This includes emphasizing the importance of not circumventing or disabling security features.
- Conduct a data inventory of sensitive and confidential information to understand what regulated data is on the mobile devices of employees.
- Understand who is accessing regulated data through mobile devices and for what purposes in order to increase visibility of people and business processes.
- Consider data-centric protections for personally owned devices.
- Consider investing in technologies that specifically address the regulated data risk. These include mobile device management, mobile digital rights management, and mobile application management.
The full report is available online at http://tinyurl.com/k24gant.
