With Apple ready to unveil its next generation of iPads, rival Google has unwrapped Android 5.0 and accompanying phones and tablets.
Like the iOS 8 that Apple delivered in September, Google’s latest iteration of Android — also dubbed L or Lollipop — brings a new level of information security via automatic encryption.
Eliot Frantz, CEO and founder of the ethical hacking firm Virtue Security, called it “a great step forward,” but added that for HIPAA-covered entities “it’s no reason to kick back and relax.”
How it works
Apple and Google are essentially forcing users to implement a function that has already been in their mobile operating systems.
“Requiring encryption as part of device activation, instead of an option, will help secure the mobile device ‘fad’ as we know it today,” said Steve Marco, founder of HIPAA One, which sells software for identifying gaps in HIPAA compliance. “And I use the term ‘fad’ not to indicate that tablets and smartphones are going away, but that the digital ePHI footprint, or as hackers call it ‘attack surface area,’ is typically very small on these devices.”
True, but mobile devices, whether lost or stolen, are increasingly at the heart of so many data breaches peppering headlines these days in a healthcare industry notorious for lagging on encryption.
Automating encryption “will provide another layer of security when these devices contain a consumer's PII or PHI,” said Rick Kam, president and co-founder of ID Experts, which offers data breach response solutions. “This will also help reduce privacy and security risks when these devices are used within HIPAA-regulated organizations.”
The key word is “help,” since this level of encryption won’t solve all of a medical practice’s encryption needs. And it’s worth considering that the feature has been increasingly controversial since the companies first announced it.
What default encryption will do
Requiring users to institute a password just to activate one's phone has advantages for healthcare organizations.
Mandatory encryption will provide additional assurances for healthcare organizations concerned about the data on Apple iPhones and iPads and the various smartphones and slates that run Google’s Android, Marco said.
“This will keep the majority of low-skilled snoopers from obtaining the data,” Frantz added.
In other words: When one of your employees loses a device housing PII or PHI, it will be much harder for the casual thief to get in and look around (unless, of course, they manage to guess the password).
“It will definitely help,” Frantz said, “but it's still far from a complete data protection solution.”
What’s more, iOS 8 and Android Lollipop are in a limited number of machines: Chromebooks, smartphones and tablets. Small medical groups and large health systems alike still have to encrypt the array of devices that employees use, including laptops, thumb drives, even backup tapes.
“After all, encrypting all ePHI data will significantly reduce the risk of theft, loss and improper disposal,” Marco said.
What it will not do
Frantz said that time and again he sees technical controls that appear to satisfy HIPAA requirements — until one takes a deep dive and evaluates all the other avenues that hackers can use to bypass those controls.
Because of the open nature of its Google Play relative to Apple’s App Store, for instance, Android tends to be more vulnerable to users downloading malicious apps.
Which is not to say App Store apps are bulletproof. Gartner has published research results finding that 75 percent of mobile apps fail existing security tests and has predicted that this will continue deep into 2015. As far into the future as 2017, it predicts, “mobile application misconfigurations” will trigger 75 percent of breaches.
Frantz recommends that users opt for more complex passwords than the typical four-digit PINs to strengthen the default encryption.
“It is common wishful thinking that encryption solves all of our problems,” he said, “but it is often similar to locking our front door and leaving the windows wide open.”
This article originally appeared on mHealth News sister site Medical Practice Insider.
Related articles:
How Apple Pay could change healthcare security
Infographic: How GoogleFit, HealthKit and Sami all stack up
New class of startups homes in on providers
