By: Chris Matthews, NREMT-P

Numerous reports and studies have demonstrated that healthcare professionals are increasingly using mobile devices in day to day clinical practice.

 

If you use your smartphone, tablet, or laptop for work and you have PHI (protected health information) on it, this is a headlining article you don’t want associated with you or your organization:

“A cancer center today began notifying almost 30,000 patients that their personal data was stolen after someone swiped an unencrypted laptop from a physician’s home almost two months ago.”

The reality is, though, that these devices will get lost and stolen. As these types of devices, particularly mobile devices, become increasingly integrated into healthcare and other fields where data security is critical, many have proposed building in a “killswitch” for its remote wipe and disable capabilities.

A little info about data security:

To start, let’s go through a few of the basics about data protection, specifically about deleting data from your mobile devices. Some operating systems don’t truly delete your data, but “lose” a character from the filename. The operating system conveniently “forgets” where the file was located and what it was called, but actually, your data is still there, and it’s easy to recover.

Data shredder apps can completely overwrite the file with zeros or another character (my favorite of these for the PC is CCleaner by Piriform). The more times it is overwritten, the more complete the data obliteration. Do it enough times, say 7 or more, and you can safely assume your most secretive data cannot be recovered–except by the NSA or a forensic data specialist with tens of thousands of dollars of equipment.

Step back in time with me to the 80’s and early 90’s and think of it like this:

You know you are going to miss a favorite TV episode, so you set your VCR to record the show while you are away. You come home, rewind and watch the show. You finish watching and rewind the tape and set it up for the next episode to record. Over and over you repeat this. You begin to notice shadows of the previous episodes the more you do this. You see, the magnetic “tape” in your videocassette develops a memory of previous tapings and that’s what is bleeding through to your new episodes.

A well practiced video editor can even isolate and filter those shadows and recondense them back to show you much of the supposedly “erased” episodes. What you need to do is wipe the tape a few times by recording static or run it through a “degausser” (a large electromagnet that purges all the magnetic data on your disk). I used to just set my tapes on the entertainment center’s subwoofer cabinet. Within minutes, it was completely remagnetized leaving no trace of previous episodes, and future recordings were much cleaner. That’s what we want with our disks built into our phones, tablets, and computers. We want to leave no trace of the data we used to have.

Flash memory expansion cards, which are available in  every mobile platform, do not use a magnetic storage medium, meaning the data will not likely be obliterated by a magnet or degausser.

Right now, if you really want to delete data from your mobile device then do the following–gently place it in the middle of the driveway, smash it with a sledgehammer several times, drive over it with your truck a few more times, then pour kerosene over it and light it on fire until it is just pieces and molten slag. That doesn’t work so well when the computer is stolen from you. Thieves generally don’t care about being courteous enough to return your hard drive so they can protect your data.

Having a remote wipe utility on your mobile device could go a long way toward protecting PHI from would-be thieves, but it may not be enough. You may want a killswitch too.

What will the killswitch do?

This new killswitch idea will go one step further into reality and “brick” your phone via a remote control signal. That means that it cannot be recovered and resold as a usable phone. The phone would only be good for parts, like the touchscreen, battery, and casing. The phone would be non-functional. The data would most likely be unrecoverable too.

Currently, apps like Cerberus and Avast! help geolocate your phone and remotely wipe the data, allow you to capture camera and audio feeds, and send alarms and alerts to your phone. You can use them without root access, but if the thief or lucky guy who “found” your phone performs a hard reset and wipes all your stuff, those apps go with it. If your phone is rooted, those apps can remain in the system, hidden, so even a phone reset won’t get rid of them and you can still track your phone down or wipe its data when it finds another web connection.

For killswitches to become available, we need legislation. Why?

Simply put, it’s another expense. We already pay more for some smartphones than we pay for some laptops and tablets! If they’re going to do it, it will be either because legislation forced them to do it or because the consumer has demanded the feature.

So, if you want the killswitch on your future phones, you can either contact your elected representation and make it an issue, or you can contact the phone manufacturers and ask them for the feature.

There is one distinct drawback to this idea… you don’t want to make your ex mad if they have a way to activate your killswitch!

Some side notes:

  • Read the article where I learned about this here: NYTimes blog
  • Peruse this list of articles and you’ll see no shortage of healthcare organizations that have reported data breach or loss, including the Office of the Medicaid Inspector General!
  • The feds even offer some decent advice on how to deal with mobile device management in healthcare IT.