1 in 7 Password Protected Mobile Devices Aren’t!
Is this a HIPAA headache? Over the course of the last few years we have experienced a notable increase in our Healthcare Practice area with three main drivers:
- Increased burden of proof (e.g., United Healthcare won’t do business with you anymore unless you can prove you are secure)
- Third Party Woes (e.g., with 62% of personal health information breaches attributable to third-parties – we need to perform due diligence)
- Mobility issues (e.g., we need to get our arms around PHI on mobile devices)
Mobile security tends to focus on three main points:
- Password protect devices (so we can ensure access to the device is authorized)
- Encrypt devices (so non-authorized users can’t gain access to the underlying data)
- Remote wiping (so data can be destroyed before an intentioned user can work around the other security controls)
I happened upon a great blog that points out that passwords may not provide the protection most of us hope and the importance of enforcing “complexity” on the PIN’s that protect most devices. Based on the evaluation of over 200K iPhone PIN’s – 10 PIN’s (of a possible 10,000) are used 15% of the time. As iPhones often allow 10 failed password attempts before wiping the phone – that (statistically) means that 1 in 7 of your PHI containing devices may be unlocked by a malicious user (unless you were already clever enough to include PIN complexity in your Mobile Device Security Policy).
I thought I was very smart for using the pattern tracing locking on my Android device instead of an easily guessed PIN – until my phone was recently “hacked” by my 12-year-old daughter. She had “guessed” my swipe based on the “swipe print” that my unlocking had left (it was readily visible if the phone was viewed off angle with the screen unlit). On testing – I was able to determine the 4 numbers on my new pin the same way – at that point it’s just a matter of determining the order.
Not sure that I have ever recommended Windex in the findings of a Mobile Data Security Assessment … but there is always a first time!