How frustrating is it to lose a smartphone?

How frustrating is it to lose a smartphone? $650,000 worth, if you are Catholic Health Care Services of the Archdiocese of Philadelphia. An employee of theirs lost an iPhone last year. It’s easy to do so – but the iPhone was not encrypted, was not password protected, and had extensive ePHI on it. Most workers would say that they don't store ePHI on their phone. They don't use it to access an EMR, open any spreadsheets, or take any notes on their phone. However, ePHI, like water, has a way of leaking out to unexpected places. If you get corporate email on your phone, then you've probably been CC'd on a message with an attached spreadsheet, which often has ePHI. If you've installed Dropbox, or a similar app, on your phone, the data is usually accessible, especially if you've got auto-login enabled - or if the app caches any data locally. Rather than worry about what's on your phone, it's simpler to secure it and go about your day. Here’s a minimum baseline:

  • Configure a screen lock, and require a passcode to unlock: It's annoying, it's valuable time out of your day, and it's really annoying. But passcode protecting your phone is the first step towards securing it. While you don't need a complex password, avoid something basic like "1234".

  • Configure the phone to erase all data after repeated failed logins: Once the passcode is configured, you must give it teeth. Configuring the phone to erase all data after a number of failed logins, usually ten. That means a thief, or someone who finds your lost phone, will be very unlikely to access any data on it before it’s wiped.

  • Configure encryption, if needed: Most smartphones are encrypted by default, as of iOS 8 in June 2014, and Android 2.3 in December 2010, whenever a passcode is enabled. But if you're running a very old phone, you'll need to upgrade.

  • Configure updates: While this won't help with a lost phone, it's an important step. After a lucky few years, viruses are now starting to be created for smartphones. Keeping your phone up to date is a key part of preventing any infections.

 These tips apply to both iPhone and Android, though the implementation is different between them. Consult your carrier or your IT guy for details. We are in the infancy of smartphones, and the way they are used and the data stored on them will only grow more complex. These steps will prepare you for whatever the future may bring.


Feisal Nanji

A seasoned C-Level Technology Risk expert with over 25 years of experience in developing and executing large information security and product development programs. Feisal brings deep knowledge of regulatory frameworks, technology capabilities and process constraints to consistently deliver quality information risk management programs for large health care institutions. He has served as Interim Chief Security Officer for a 14 Hospital system with over $5 Billion in revenue and conducted multiple security risk assessments for providers of all sizes. At EY he lead a team to review and improve the security of an integrated managed care organization’s electronic medical records (EMR) system with over 8 million members and 3 million health records.