June 16, 2014
Bring Your Own Device–But Carefully!
By Michael D. Shaw
For many people, the 2013 feature Terms And Conditions May Apply was their introduction into just how extensive and invasive data collection has become. It is all “voluntary,” of course, based on their agreement to software/app, website, and search engine terms and conditions. Even worse, is what the consumers of Big Data do with this information.
Powerful computers and specialized programs allow virtually endless data dredging, whereby large volumes of information are analyzed seeking any possible relationships between data, occasionally for unethical purposes. Such practices can result in relatively benign consequences, such as seeing ads for various drugs and media appear in your browser, after making searches on “diabetes.” But you could also post a silly suggestive remark on a social media site, and experience a nasty interaction with law enforcement—based on ridiculously premature conclusions being drawn—hours later. Indeed, such horror stories are detailed in the movie.
Whoever said that data dredging is “seeking more information from a data set than it actually contains” was definitely onto something.
At least, all this is being done, in theory, with your consent, as you agreed to the terms and conditions. However, there is plenty more going on behind the scenes, especially regarding your mobile devices, that most assuredly does not have your consent. Reports of security flaws in mobile apps have skyrocketed, including this recent shocker:
Back in March, the FTC reached a settlement with Fandango and Credit Karma over charges that they deceived consumers by misrepresenting the security of their mobile apps and failing to secure the transmission of millions of consumers’ sensitive personal information. The complaints charged that Fandango and Credit Karma disabled a critical default process, known as SSL certificate validation, which would have verified that the apps’ communications were secure. This exposed the apps to “man-in-the-middle” attacks, which would allow an attacker to intercept any of the information the apps sent or received.
Given the proliferation of BYOD (bring your own device) policies in vast, critical, and sensitive health care networks, mobile device security is—in an apt metaphor—as serious as a heart attack. I recently caught up with Andrew Hoog, computer scientist, mobile forensics researcher, and CEO/co-founder of viaForensics, a mobile security company. According to Andrew, “As the BYOD workplace becomes a reality, traditional computer security approaches are rendered largely ineffective. Mobile devices are a new attack surface, one where the biggest threat comes not from malware, but unsecured apps.”
He continues: “Of 100 popular apps we recently tested, 60% had significant vulnerabilities. These insecure, or ‘leaky’ apps, pose security risks to individuals and enterprises alike.”
Arguably, second only to financial institutions, the computer networks of health care organizations offer hackers the choicest pickings around. Insurance details, private health information, social security numbers, and names of next of kin are all in play, along with assorted methods of payment and employment data. Mobile phone hacks, courtesy of leaky apps, provide a backdoor for data thieves. Sadly, the damage done in an instant to affected individuals can take months or even years to repair. If specific medical records or insurance information are compromised, a patient’s health might be put in danger. Relatively minor HIPAA violations can result in stiff fines.
I’ll give Andrew the last word:
“To secure mobile borders, CIOs, IT Managers, employees, and everyday mobile device users should be installing security applications on their mobile devices that allow them to see and control what is happening with their data. This is why we created viaProtect, a mobile app that allows you to see exactly what is happening with your data so you can make more informed choices. It is available at no charge from Google play and the App Store.”