http://www.practicefusion.com/ehrbloggers
The proliferation of mobile devices has blurred the line between employer and employee information, and created new threats to sensitive data that are all too well chronicled. But common-sense steps can still be taken to minimize these risks without stifling the usefulness of these new tools, two data privacy and security experts said in a recent webinar.
“The shift in business models required us to have tech-savvy employees,” and now that consumers rather than businesses are driving the IT market, employees often bypass the procurement process, said Michael Spadea, CSS privacy manager for Microsoft Corp. “IT management didn’t necessarily change with the times.”
“It’s not just technology companies anymore addressing these issues,” added Christine Lyon, an attorney with Morrison & Foerster LLP. “Nobody has this entirely figured out yet,” and different businesses have different needs, so “slow down and think about this a bit,” she said.
“Step back and look at the big picture,” Spadea said. How mobile is your work force? How often do employees need company data, and how sensitive is this data? “You want to leverage the information classification scheme you already have in place,” he said. “Think about how you move the same or similar controls into the mobile environment.” Employees should be involved in this process because “it’s very important to get their feedback,” he added.
When assessing the risks and evaluating controls, “make sure your policies are specific enough but flexible enough to grow,” Spadea said. “Make sure the changes you’re making are doable.”
The risk assessment framework should take into account how employees will be using the devices. “Do all people need to be accessing the data all the time? Probably not,” Spadea said. “Think about managing the data, not the devices. Start from a data-centric point of view,” classify your data, then “make sure the devices themselves are going to meet your security policy.”
One key step is to secure access to the company’s network. “How will your mobile and remote employees be accessing company data?” Lyon asked. If you allow them to remote in, “how do you secure those connections?”
Then consider “what to do with the local copies” of data saved on the devices. Remote or automatic data “wiping” capability, if the device is lost or stolen, is a common capability, Lyon noted. But if the wipe would destroy the employee’s own data as well as company data, you’ll need to be very clear to them about that, and may need their legal authorization, she said.
Lyon and Spadea spoke in a webinar presented by the International Association of Privacy Professionals.
Remote access and other data security issues, particularly as addressed by HIPAA’s security standards, are covered in the Employer’s Guide to HIPAA and Employer’s Guide to HIPAA Privacy Requirements.