Meet us at Infosecurity Europe 2023, London

Let's meet

How to Overcome the Problems Achieving HIPAA Compliance for Mobile Devices

Implementing and maintaining a secure and compliant HIPAA environment places a heavy burden on healthcare organizations, with current solutions failing to consistently meet the strict regulatory requirements. Symmetrium’s compliant-by-design mobile device management solution is now a game changer, ensuring HIPAA compliance through the use of a single, low maintenance application. 

The use of mobile devices has become a staple feature of every healthcare environment. But while they are transforming patient care, the security risks mobile devices pose to confidential patient information is a growing risk. This is why access to healthcare data via mobile devices has been specifically targeted by the Health Insurance Portability and Accountability Act (HIPAA), a federal law requiring the creation of national standards to protect sensitive patient health information from being disclosed.

 

Challenges Involved in Protecting ePHI

HIPAA protects electronic protected health information (ePHI) that is produced, saved, transferred or received in an electronic form. Every entity that has access to ePHI needs to be compliant to HIPAA rules. This applies to doctors, nurses, clinics, pharmacies, insurance companies and anyone accessing ePHI — they all need to be compliant. 

HIPAA states: “Healthcare providers, other covered entities, and business associates may use mobile devices to access electronic protected health information (ePHI) as long as appropriate physical, administrative, and technical safeguards are in place to protect the confidentiality, integrity, and availability of the ePHI on the mobile device and appropriate BAAs [Business Associate Agreements] are in place with any third-party service providers for the device and/or the cloud that will have access to e-PHI.”

However, staff mobility, remote employees, third-party contractors and BYOD policies are just a few of the reasons implementing adequate security and compliance solutions to meet HIPAA requirements is increasingly difficult. 

 

Vulnerabilities in Current Solutions 

With a heavy burden placed on the healthcare sector to be HIPAA compliant, the first line of defense is to ensure devices include the necessary safeguards to guarantee against theft and data loss through the use of a robust layer of security.
HIPAA regulations also require that ePHI data must be encrypted when transmitted over a network. The most popular way of doing this is to create a VPN through which VDIs (virtual desktop infrastructure) can connect to the data, therefore negating the need for it to be encrypted. This however raises problems.

Usage can be limited because a user needs to make sure no one else is using the VDI. This means they have limited flexibility and can be more difficult to scale as needed. This can be a problem for organizations with fluctuating user numbers or those looking to implement a bring-your-own-device (BYOD) policy. There are also security concerns as users operating in a VDI environment can as easily click on a malicious link in an email or on a web page as someone using a physical desktop. 

VDIs also require a heavy level of management and maintenance, which places a heavy burden for qualified IT staff where ongoing training and staff turnover can become problematic. To comply with HIPAA data encryption and data wiping tools may also need to be implemented and maintained. This can add to the management burden. 

 

Achieving HIPAA Compliance with One Solution

HIPAA compliance can be achieved using only one solution. Symmetrium is HIPAA compliant by design for mobile devices. Symmetrium creates virtual mobile devices (VMDs) that reside within the protected perimeter of a healthcare organization’s network and thus adhere to all existing enterprise network and HIPAA security protocols. This ensures that ePHI data is kept private and protected, avoiding security breaches and massive fines.

Symmetrium VMDs use P2P encrypted streaming, which allows healthcare workers to view ePHI data via a portal using their own devices. This view-only access means ePHI data never leaves the protected organizational network and therefore is never transferred to a user’s external device. This ensures the data at all times remains secure and compliant, never coming to rest on devices outside of the protected organizational IT environment.

The result is an easier life for regulatory officers and CIOs thanks to the less complicated management of ePHI data, because:

  1. Symmetrium’s VMDs become a virtual extension of all existing HIPAA compliance protocols, are seamless to deploy and offer a native mobile experience.

  2. They immediately ensure HIPAA compliance in BYOD environments using custom end-to-end encrypted streaming with no ePHI data at rest. This means that each mobile user is treated as an on-prem endpoint, which they can control when and where users can access ePHI data.

  3. Symmetrium’s minimum-resources mobile access solution needs very light operational requirements and delivers high security compliance demands that integrate smoothly into existing data access protocols. The result is HIPAA compliance using one single app. 

 

Isn’t it time you reconsidered your approach to meeting HIPAA requirements? Book a demo with Symmetrium here.

SEC Issues Over $2bn in Fines to Crack Down on Use of WhatsApp and Other Messaging Apps

With financial institutions struggling to meet their regulatory obligations regarding messaging apps, the sector could have saved billions of dollars by using Symmetrium to minimize their exposure.

When JPMorgan was hit with $200 million in SEC fines in Dec 2021, for letting employees use WhatsApp, it should have been a warning sign. Less than a year later, the US Securities and Exchange Commission (SEC) struck again, fining 16 Wall Street firms $1.8B for using private text apps

This avalanche of fines was imposed on banks and financial institutions for allowing employees to discuss business via unapproved and unmonitored messaging systems, such as WhatsApp. Such discussions are legally required to be recorded, stored and available to government authorities to review when required.

The sector has been cracking down heavily on the use of unsecured messaging apps for business. In 2020, for example, a senior credit trader at JPMorgan was suspended for communicating via WhatsApp with colleagues at Jefferies, KPMG, and VTB Capital. 

 

Financial Institutions Struggling to Meet Regulatory Requirements

With the pervasive use of mobile phones as hybrid work policies become more normal, the exposure firms face has risen sharply since the time when only email was being used. All email messages could be stored and archived on corporate email servers to meet regulatory requirements, but now with BYOD (Bring Your Own Device) policies and the widespread use of messaging apps, banks are struggling to meet SEC requirements. 

WhatsApp remains the most popular messaging app, but more than a half dozen others are regularly used, such as Facebook Messenger, iMessage, WeChat and Telegram. Their prevalence is giving Compliance Officers at financial services firms sleepless nights as workplace smartphones and BYOD policies create a perfect storm for users to intentionally or even accidentally breach SEC rules. 

 

How The Sector Could Have Avoided Billion-Dollar Fines

Sharing data using unauthorized messaging apps and personal email accounts not only flouts SEC regulations but can also expose sensitive data to security risks. Symmetrium’s zero trust mobile access solution has been specifically designed to help organizations operating in highly regulated sectors to remain compliant by keeping data protected, particularly in BYOD environments. 

Symmetrium is device agnostic, and works by the creation of virtual mobile devices (VMDs) within the organization’s own IT environment. These VMDs sit within this protected environment and when remotely accessed these virtual devices act as extensions of all organizational security and compliance policies using end-to-end encrypted streaming. So when messaging using Symmetrium’s mobile access solution, all regulatory obligations are adhered to in this highly controlled environment. The result is a completely secure, compliant and native mobile experience with seamless deployment and management.

 

Ensuring All Data Remains SEC Compliant

With messages sent by authorized users virtually accessing Symmetrium via the organizational network, the messages and any associated data never sits on the user’s actual device. The result is that data remains secure and archived to meet SECs requirements.

Each mobile device acts as an on-prem laptop, allowing for full control over employee messaging to shield financial institutions from any risks associated with using messaging apps, such as WhatsApp. 

This allows for minimum-resources mobile messaging management via a central management console for all devices, OS and brands. All is integrated smoothly into existing security and GRC data access protocols through one single app. The result is organizations can finally be confident their data and messaging remains secure and compliant at all times, avoiding crippling fines and potential data breaches. 

Discover how Symmetrium can keep your data and employee messaging compliant by booking a demo here.

 

The Challenges in Creating a Secure Zero Trust Environment

Most organizations will struggle to implement and securely manage zero-trust environments, due to the many challenges involved, without the adoption of Symmetrium’s Virtual Mobile Device solution. 

The traditional perimeter of organizational networks has been obliterated by the rise of remote work and SaaS services, forcing the implementation of zero-trust environments. This is necessary to cope with the unprecedented growth in endpoints and data sources operating beyond the confines of the traditional organizational network.   

Zero trust provides a more comprehensive approach to security than traditional methods. The core principle of zero trust is to trust nothing and verify everything. This means that all users, devices, apps, software and data both inside the network and outside must be verified and protected. Organizations can therefore, in principal, mitigate the attack surface nefarious actors target to steal data, compromise passwords and other malicious activities. 

 

Problems Implementing Zero Trust

While zero trust is a key strategic focus for most organizations to reduce risk, according to Gartner, very few organizations have completed the scope of their zero-trust implementations.

Many of the associated challenges to implementing a true zero-trust environment are linked to the hybrid work culture, which has become a significant obstacle in securing this model. With more employees working outside the boundaries of the corporate network, using their own devices to connect to sensitive business data, security vulnerabilities have spiked. 

The use of non-secured mobile devices has resulted in an entire stack of identities and end-points that require a full set of resources to continuously secure, protect and manage it. This requires mapping how users and their devices access and interact with sensitive data. Solutions focus on managing these users and devices to help increase cyber resiliency and remote access. 

 

Zero Trust’s Fundamental Flaw

This exposes a fundamental flaw in their approach — a focus on users and devices, and not on data. So once users are granted access the data they access using their mobile comes to rest on that device. Thus the data is no longer in the secure confines of the corporate network environment and is exposed and vulnerable on the device it is now residing on.

Security will always be maximized when there is no data at rest and therefore no data at risk. This is how Symmetrium, a zero-trust data mobile access solution, enables productive collaboration while dramatically minimizing the risk of data breaches. It achieves this by turning any mobile device, managed or unmanaged, into a virtual extension of an organization’s network, with all its compliance, security, and IT. 

 

The Only True Zero-Trust Approach

Using Symmetrium means organizations don’t have to ditch and replace technology to implement a secure zero-trust environment. This is because Symmetrium creates virtual mobile devices (VMDs) that sit protected within the perimeter of an organization’s network and therefore adheres to all existing enterprise network security protocols. 

These VMDs use P2P encrypted streaming to allow authorized remote and third party users to view data using their own devices. This view-only data never leaves the protected organizational network and therefore is never transferred to an external device. This ensures the data at all times remains secure and never comes to rest on external devices.

With zero trust now vital for organizations to survive digital transformation it is critical to overcome the associated challenges. In a world where data, resources and employees are outside the enterprise perimeter, the only true zero-trust approach is to ensure “no data at rest” and Symmetrium’s VMDs are the perfect solution to make this happen.

So, isn’t it time you reconsidered your approach to zero-trust security? Book a demo with Symmetrium here.

close-tag

We’re proud to be the ones making TPRO, CISO, IT and vendors - happy

by ramping up zero-trust mobile access.