The importance of encrypting your mobile devices and ensuring no patient data is exchanged

I had recently been asked by a friend to assist in recovering data that was previously stored on a smartphone. I had plenty of disclaimers to provide, as I have had no prior experience with this type of phone, but when a friend is in distress, instincts kick in and I ended up doing some research on the matter.

Within hours, I was able to identify several tools that helped with this issue, and it was to my surprise, it was very easy to recover all data without even having the phone available!

With many of the smartphones used in the market place, end users tend to plug them into their PCs/Laptops to sync with their music and documents; this specific smartphone was no exception. Apparently the utility that comes with the phone allows a full –  I mean “full” – backup of the entire phone to your PC.

Now that I found the backups of this smartphone and where they were sitting in the file system, it was just a matter of figuring out what how to make sense of any of the files.

The second item of business was to identify tools that can browse the actual backups. With the use of some widely available freeware utilities, I was able to simply browse to the backup folder, and then, voila! I was able to see all the backup files, and their full names (the backup replaced the original file names with unique identifiers).

The next step was to review all the files that were listed under his utilities, and to my surprise I was able to identify certain files, such as SMS (sms.db, cookies, websites, cached images,..etc.) With a little bit more research, I discovered that all the files with the extension db were nothing more than SQLLite files (flat database files). So I proceeded to download SQLLite database browser.

Sure enough, by simply viewing the sms.db file, the entire history of text messages (including the deleted ones) was available to me with no prior knowledge of passwords or access to the phone itself.

So what this mean to health care? Simply put, if you are a health care security administrator, or a physician, you will have the following concerns to deal with:

· Ensure that any patient related information is not stored permanently on the mobile phone

· Ensure that any backups that are being performed are encrypted and stored in the cloud securely and not on end user PCs

· Ensure that the mobile device is secured via passwords or patterns

· Keep in mind that if the device is lost or stolen then its data can easily be accessible

· Keep in mind that even when a laptop that was used to synchronized is lost or stolen then the data can also be jeopardized

My friend was able to gain access to the full contact list, call history, text messages and all images taken by the phone cam. There were some great lessons learned throughout this process. The bottom line, we all need to be aware that we must always question the security of the devices we may use and especially when it is dealing with patient information.