Device Hardening Standards for Small Covered Entities & Business Associates

Introduction:

Information security is only as strong as its weakest link. The lack of device hardening standards that are enforced has the potential of resulting in a breach of unsecure protected health information (PHI) and other confidential data. Beaches are very costly and so is not being able to affirmatively attest to the fact that workstations, especially mobile workstations like laptops and tablets, are secure and encryption was enforced at the time of the loss or theft can lead to rather expensive lawsuits. 

The courts are swinging in the direction of upholding claims of the potential of harm in the aftermath of a breach of protected health information (PHI) or personally identifiable information (PII). This is a new trend replacing courts’ positions that unless harm can be demonstrated, plaintiffs can’t be awarded damages for a potential future event such as identify theft. This is a trend that will likely continue, resulting in an increase in the number of court findings and settlements awarding damages to those who’s PHI or PII was breached.

Device hardening is considered a reasonable safeguard against the loss of data or workstation hacking. Per the HIPAA Security Rule covered entities (CE) and business associates (BA) must make reasonable efforts to secure the PHI that is created, used, disclosed, maintained or transmitted. Per 45 CFR § 164.306(a) notes:

General requirements. Covered entities and business associates must do the following:

(1)  Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.

(2)  Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

(3)  Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under Subpart E of this part. (emphasis added)

It can easily be anticipated that the lack of enforced device hardening standards can and will result in a threat to the security of PHI.  This is a case where the lack of device hardening standards could lead to civil suits, loss of business related to a loss of customer trust and civil penalties levied by the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and state attorneys general. Device hardening does not need to be expensive but the lack of hardening most certainly can.

Laptop Device Hardening Standards:

The following need to be addressed when it comes to hardening laptops to reasonably ensure the security of the data stored on the device and to prevent unauthorized intrusion to devices and networks the laptop will be connected to.

1.     Remove administrator privileges for all company owned laptops/lock down devices

2.     Install and maintain mobile device management tools that support –

a.     Remote wipe of hard and flash drives

b.     Device tracking in the event a device is lost or stolen

c.     Enforce encryption of hard drives and flash drives

3.     Install and periodically update anti-malware applications

4.     Install and periodically update firewall applications

5.     Enforce strong passcodes or passwords and require periodic password changes

6.     Enable biometric authentication if available

7.     If using Windows, properly set share and Microsoft New Technology File System (NTFS) permissions to keep network snooping to a minimum and unauthorized users out of sensitive files stored locally

Tablet and Smart Phone Device Hardening Standards:

The following need to be addressed when it comes to hardening tablets and smart phones to reasonably ensure the security of the data stored on the device and to prevent unauthorized intrusion to devices and networks tablets and smart phones will be connected to.

1.     Remove administrator privileges for all company owned tablets and smart phones/lock down devices

2.     Install and maintain mobile device management tools (company owned and personally owned; BYOD) that support –

a.     Remote wipe of flash drives

b.     Device tracking in the event a device is lost or stolen

c.     Enforce encryption of flash drives

(NOTE: Apple tablets and smart phones are natively encrypted. End users or IT staff need to enable or turn on encryption for Android and Windows tablets and smart phones.)

d.     Preferably – segregate company data from personal data on BYOD devices

3.     Install and periodically update anti-malware applications (EXCEPTION: iPhones and iPads)

4.     Install and periodically update firewall applications (EXCEPTION: iPhones and iPads)

5.     Enforce strong passcodes or passwords and require periodic password changes

6.     Enable biometric authentication if available

Summary:

Device hardening is considered a reasonable security safeguard which means it’s a “must do” when it comes to HIPAA compliance, state law compliance in some states and avoiding costly lawsuits. The lack of device hardening can lead to expensive breaches, regulatory action, costly lawsuits and loss of business due to diminished customer trust. Also, CEs and BAs can’t take advantage of the HIPAA Breach Notification Rule safe harbor if it cannot be demonstrated that devices were actually encrypted at the time of theft. If the device is not locked down, it becomes difficult to attest that the device was secure and no PHI or PII can be accessed when it’s lost or stolen.