How can health care providers secure mobile devices that physicians and other professionals use to send information about patients?
That’s the question at the center of a so-called practice guide published recently in draft form by the National Institute for Standards and Technology (NIST). Between now and Sept. 25, NIST seeks public comment on the guide, which illustrates how providers can assess cyber threats and secure electronic health records on smartphones, tablets and laptops, as well as the servers to which such equipment connects.
“Cost and care efficiencies, as well as incentives from the HITECH Act, have prompted health care groups to rapidly adopt electronic health record systems. Unfortunately, organizations have not adopted security measures at the same pace. Attackers are aware of these vulnerabilities and are deploying increasingly sophisticated means to exploit information systems and devices.”
At issue is the susceptibility of electronic health information to intrusion. NIST cites a report published in May by the Ponemon Institute that found malicious hacks on health care organizations now outnumber accidental breaches, and that the number of criminal attacks grew 125% in the last five years.
The practice guide proposed by NIST addresses such scenarios as the theft or loss of devices that had access to electronic health records; attacks on the networks of health care organizations, whether by hackers or intruders who gain access to the premises; installation of malware; or users who walk away while logged in to devices.
The guide, which is voluntary for stakeholders, mirrors a framework that NIST is developing pursuant to an order for reducing cyber risks to infrastructure that President Obama issued in February 2013. Federal law requires providers to assess risks to electronic health information regularly.
It’s Sunday, about 1:30 pm, and I’ve been to three wireless stores since noon.
The journey has taken me from 125th St. in Harlem to 86th and Broadway to 71st Street.
Reason for my trip: to activate an iPhone 4 that I’ve had for the past four-and-a-half years, the last two of which it occupied a shelf above my desk.
My girlfriend is visiting from South Africa. She uses a US phone on this side.
She had a phone that ran on Verizon—one of those clamshell designs—that she lost on a recent visit. She kept the number, which her sister paid for monthly. My girlfriend says she has no attachment to the number except that her boss knows it. He calls her on it.
For a week she went without a phone. To reach her, I texted her via Skype to her MacBook. But today she’s off to Boston, which her employer calls home.
She needs a phone that works. Cue the iPhone 4, which I charged in anticipation of her visit.
I misremembered that I had bought the phone from AT&T, thinking instead that it came from Verizon Wireless. That mistake explains everything that ensued.
The saga began a day earlier, at a T-Mobile store at 96th and Broadway. We brought the iPhone there to buy a SIM card that would activate the phone on T-Mobile’s network, where we—or more accurately T-Mobile—would carry over my girlfriend’s number from Verizon.
The sales representative at T-Mobile snapped a new SIM card off from credit card-sized piece of plastic, inserted it into the phone and turned on the device. We brightened momentarily before realizing the phone would not work.
“It’s locked by Verizon,” the representative told us, repeating the misinformation I had supplied inadvertently. “There’s nothing we can do. You have to take it to Verizon.”
“What’s the lowest-priced phone you have?” my girlfriend asked him. He showed her a phone that runs on Android and cost $20.
“I’ll take it,” my girlfriend said. At least she would have a phone, no matter how little it resembled a phone that she might want.
At home Saturday night, my girlfriend’s sister, a different sibling than the one who preserved the phone number, and I researched how to unlock a phone from Verizon.
On Sunday morning, equipped with the information, I called Verizon. The first representative I reached told me that Verizon cannot unlock a smartphone that ran on its network. That didn’t seem right.
I called again. A different representative gave me two six-digit codes that he said I could use to unlock the phone. “These will cost you money if you go online to sites that sell unlocking,” he offered before directing me to an article in Gizmodo about how to unlock an iPhone 4.
That didn’t help either.
I decided to take the phone to the Verizon Wireless outpost on 125th St. The place opened at noon. I resolved to be first in line.
I arrived at the store, located at the corner of 125th St. and Adam Clayton Powell Jr. Blvd, about 10 minutes early. While I waited, I met AGR, a rapper who was hawking “King of the Industry,” his latest disc. “I’m working with RZA of Wu-Tang,” AGR told me, without commenting on the symmetry between the number of initials in their monikers.
For $10, I could own a copy of AGR’s latest, which, he explained to me, contains no references to sex or drugs. “But aren’t drugs and sex subjects for art too?” I asked him.
“Yes, but what am I going to do, rap to the kids about using crack?” he replied. Rather than press the point, I forked over $10 in exchange for the disc, which AGR autographed to my girlfriend.
I hope she likes it.
By then it was noon and I saw the manager at Verizon Wireless kneel to unlock the double doors to the store. I construed the gesture as a metaphor for what awaited my phone.
I bounded inside. She asked how she could help.
“I’d like to ask you to please unlock a Verizon phone that I haven’t used in at least three years,” I explained. “I used to have a contract but that was then. I think you can unlock it now.”
“We can’t unlock the phone unless you are on Verizon,” she replied.
“Isn’t the point of unlocking the phone so that I don’t have to be on Verizon?” I asked. “Besides, refusing to unlock a phone unless I’m on Verizon sounds illegal.”
I imagine the last thing someone who works at a Verizon store on Sundays wants to hear is that what they’re doing is unlawful.
“Companies do it all the time,” she said.
As if that would persuade me.
“Tell you what, maybe you can confirm that the phone is a Verizon phone,” I offered. “Maybe my recollection is wrong.”
“But you told me it’s a Verizon phone,” she said.
“Yes, I did, but perhaps my memory is faulty,” I answered. “It can happen to any of us,” I added, gesturing toward the pedestrians on the street outside.
I held up the phone to her while pressing an icon on the display that flashes the phone’s International Mobile Station Equipment Identity (IMEI number), the 15-digit number that identifies most mobile phones.
The manager gave a look that signaled a mixture of annoyance and resignation. “Please, just confirm that this is a Verizon phone,” I pleaded.
The manager gazed at the number. “It’s a Verizon phone,” she said. “That’s our number, it begins 040.”
I looked at the IMEI, which began 0240.
“Are you sure?” I asked, repeating back to her the digits. “I’m sure,” she replied. “Verizon phones start with 0240.”
I noted her confusion but attributed it to her wanting to be rid of me.
I thanked her and plopped down on a bench at the entrance to the store to map out my next move. I approached the counter again to ask another representative how much it would cost to activate the phone on Verizon’s network.
“That would be $45 a month, for unlimited talk and texts, plus one gigabyte of data,” he told me, looking up from his smartphone.
“Will the number remain in effect if my girlfriend only uses the service a few times a year when she’s in the states?” I asked.
“No,” he said. “The number cancels out at the end of 30 days unless you renew it.”
By now it was 12:15 pm. I had promised my girlfriend I would be home by 3:00 pm with a phone that worked and that she could take with her to Boston later that afternoon.
At 125th St. and Adam Clayton Powell, I hailed a taxi to take me to the Apple Store at 66th and Broadway. I would buy a new iPhone 6 and give my girlfriend my iPhone 5c. I’ve dithered about whether to go with a larger phone. Now seemed like the time.
As the taxi rolled along Central Park West, I gazed out at the buildings on my right. At 102nd St., we passed an apartment building where seven years ago I took guitar lessons from a musician who lived there. He once played in the band for the show “Rent.” He also liked to play tennis and would regale me with stories about matches he played on the red-clay courts in Riverside Park.
At around 96th Street a better idea came to me. Rather than buy a new phone, I would return to Verizon and activate the iPhone 4 on the carrier’s network. My girlfriend could bring both the T-Mobile phone and the iPhone with her to Boston. She would have to tote two phones but at least one of them appealed to her.
After her business trip, I would hold onto the iPhone 4. That way I could have a phone to use for calls and another—my iPhone 5c—for podcasts, music and all the rest of the things we do with those devices. All for $45 a month, which, while not free, beat the cost of a new phone.
I asked the driver to let me out at 86th and Broadway. Rather than return to Harlem and the manager whom I was persuaded hated me, I would find a Verizon Wireless store on the Upper West Side.
First, I had to use the restroom. I walked north along Broadway, expecting to find one of the Starbucks locations that litter Broadway what seems like every five blocks. Sure enough, I found one after about three.
Inside, a man who appeared to be about 60 years old waited for the restroom, the door to which displayed the red dial that signaled it was occupied. He had close-cropped silver hair and wore shorts and a t-shirt with something that I couldn’t decipher printed on it.
“You’re in line, right,?” I offered.
“I am,” he answered smiling, seemingly appreciating my checking with him.
After about 30 seconds I spoke up.
“The city needs more public restrooms,” I said. “It’s ridiculous that we all wait on line in Starbucks.”
The man brightened.
“I agree,” he said. “You wonder what people do in there. The guy who was in line before me gave up and left.”
“I don’t get why people take so much time,” I volunteered. “The last place I want to be is holed up is in a bathroom at Starbucks.
By then another gentleman, an African-American man who appeared to be about 50, had joined the line.
“We think someone’s taking a shower in there,” I said to him
“It’s terrible,” he said. “The way some people stay in there so long.
“Right, that’s what we were just discussing,” I replied, gesturing to the man ahead of me in the queue.
The three of us waited silently for about five minutes. Then the African-American man walked forward and rapped solidly on the door. No reply.
“Maybe someone should check to see if the person inside is conscious,” I offered.
“This is ridiculous,” said the man, returning to the queue.
“Have you seen the public restroom they installed recently on the east side of Union Square,” I asked them, proud of my offering some information that might be of value in the future. “We need more of that. Or like the restrooms at Bryant Park. Standing in line at Starbucks is hardly a substitute.”
Both men nodded in agreement.
I was on a roll. “I should run for City Council on a platform to add restrooms across the city,” I said.
“You’d have my vote,” said the man in front of me.
Just then we heard the handle of the bathroom door rattle. A woman, about 50 emerged, looking pale and exasperated.
She shook her head and looked at the man in front of me, as if he alone had interrupted her stay.
“I’ll be fast,” he told me.
“I’ll be fast too,” I told the man behind me.
The man kept his promise. He was in and out in what seemed like 20 seconds. I did the same.
“Take care, man,” I said to the African-American gentlemen as I left.
“You too,” he said, cementing our bond.
I stepped outside and onto Broadway, where Google Maps told me there was a Verizon Store at 80th St.
I walked south, glad to be outside on a mild spring afternoon. It was early enough that people seemed happy it was Sunday. They had yet to retreat to their apartments to steel themselves for the week.
A man passed me walking north, carrying an air conditioner that he had purchased at P.C. Richard & Sons, judging by the box. A block later, a young woman drifted over to a shelf of books that a bookseller had pushed onto the sidewalk to attract browsers.
As I approached 80th St., I saw the Verizon store on the opposite side of Broadway. Inside the store, the greeter asked for my name, which he logged on an iPad before telling me that I would be next in line.
I sat down on what I later realized to be the same style of bench that stood near the door at the Verizon store in Harlem. It’s hardly news that parts of Manhattan are being overrun by banks, nail salons and mobile phone stores. I shuddered as I realized that I had experienced the phenomenon from the inside.
In about 10 minutes, a man whose name tag read Jordan sat down next to me, smiled and asked how he could help.
“I would like to sign up for some prepaid Verizon wireless,” I told him, holding out the iPhone 4.
“Great, how do you anticipate using the phone?” he asked.
“For calls, mostly, I think,” I answered, feeling happy that we seemed to be getting somewhere.
Jordan told me the best plan would be one that costs $45 a month. Of course, I knew that already, but I thanked him anyway. By now it was nearly 1:00 pm and I began to calculate how much time I had left before I had to get back to my girlfriend in Harlem.
“May I see your ID?” Jordan asked.
I handed him my driver’s license and hoped that concluding the purchase would be as easy as his swiping my credit card.
“Is this your home address,” Jordan asked, holding the license.
“Yes, it is,” I replied, feeling satisfied with my deciding to update my license after moving last year.
Jordan excused himself to speak with a co-worker, whom I imagined to be a supervisor. I watched the men huddle for about a minute before Jordan returned.
“You say this is a Verizon phone?” he asked me. “Because as far as I can tell it’s not one of ours.”
“But the manager at your other store tells me it’s Verizon,” I replied.
“I’m sorry but it’s not,” he said. “Have you checked with T-Mobile, or with any other carrier. Maybe it’s AT&T or Sprint.”
Suddenly, I remembered.
“Oh, wow, it’s AT&T,” I said as the realization dawned. “Look, Jordan, you know that I wanted to buy Verizon service—you know that I was ready to sign up for prepaid wireless—but if I can unlock this my girlfriend can use her T-Mobile SIM with this phone.”
Jordan said he understood, and that he was happy to help. I wanted to run to the AT&T store, but I paused long enough to thank him again. We shook hands.
Back on Broadway, I headed south, past the Apthorp and Fairway, across the street at Gray’s Papaya, to 71st St., where an AT&T store occupies the northeast corner.
I entered to find two representatives helping customers at the counter while two ladies sat on a window ledge in the far corner of the store that faced the street.
“I imagine you’re waiting,” I said to them, smiling.
“I’ve been waiting for about 30 minutes,” said the younger of the two.
“Have they taken your names?” I asked.
“We think so,” said the other woman.
I approached the counter. “How do we register our visit?” I asked one of the two representatives. She wore a powder-blue polo shirt emblazoned with an AT&T.
She looked up at me distractedly. Just then, a representative in a royal blue polo shirt—a manager I hoped—emerged from the back room.
“How do we register for our visit?” I repeated, this time to him. “There are four of us back here,” I said, motioning to the two women. “We’re wondering.”
“There aren’t four of you,” said the manager.
“I count four—those women, me and this gentleman, here,” I said, gesturing toward a 60-something man hunched over some kind of self-service terminal.
“Have you registered?” I asked a 20-something man whom I had seen when I entered.
“I have,” he said in a European accent, smiling. “Thank you.”
I felt like an organizer. After three wireless stores in 90 minutes, the bureaucracy and procedures started to make sense to me.
The manager asked my name, which he entered into an iPad.
I retreated to the corner to take my place alongside the two women in the queue.
My turn came about 15 minutes later. A 20-something representative—she wore a navy polo shirt, the shades of blue seemed to darken with each representative—approached and asked how she could help.
“I would like to unlock this iPhone 4 that I got from AT&T several years ago,” I told her. “The contract has long lapsed. I don’t even have a phone number of it.”
“You have to put in a request online to do that,” she replied.
“What?” I replied, set back.
“This is the third wireless store I’ve visited today, and now you’re telling me I have to go online? Please, can’t we do this from here?” I implored.
The representative hesitated. Then she escorted me over to an iPad and punched up an online site at AT&T for unlocking phones.
“Go ahead and enter your information here,” she instructed.
I entered the IMEI, my name and email address. Three times I mistyped the captcha, which seemed especially tough to transpose.
After three tries, the representative nudged me aside and entered the phrase.
That produced a message telling me to check my in-box for an email that would confirm the unlocking.
I opened the email on my phone. “Click ok,” the representative told me, enrolling now.
I clicked. A second email arrived telling me that my request for an unlocked phone would be processed within two days.
“They say two days but it can be much faster,” said the representative. “Mine was unlocked the same day.”
That meant I might not be able to unlock the phone for my girlfriend in time for her trip but that eventually we’d get the phone working.
After thanking the representative and leaving the store, I imagined I could ship the phone to my girlfriend in Boston as soon as it worked.
On Broadway, I flagged a taxi to take me home. It was 1:45 pm and I didn’t want to risk the vagaries of weekend subway service.
As the taxi made its way up the West Side Highway, I happened to check my in-box, to see a third message from AT&T, this one congratulating me on my phone being unlocked.
According to the message, to complete the unlocking I needed to connect the phone with its original SIM card to iTunes.
Problem was, I no longer have the original SIM card.
Damn, I thought. Three stores and all that energy and I still may be unable to unlock the phone.
I resolved not to stress about it and to enjoy the ride along Riverside Park on a lovely day.
I called my sister to wish her happy Mother’s Day. I listened to a report by the BBC World Service about the new leader of South Africa’s main opposition.
I settled into the taxi, feeling assured by my effort and the initiative of the driver, who suggested a route that I knew made sense.
At home, my girlfriend gazed up from her work when I entered the apartment. I had stopped at a salad place and brought us both lunch.
I told her that I felt we were close to unlocking the phone, that I needed to try one more thing at the computer.
I went to my desk, inserted my girlfriend’s SIM card from T-Mobile into the iPhone and attached the phone to my computer. I double-clicked on iTunes. A message popped up to tell me that new settings from the carrier were available for download.
That seemed like a good sign. A few seconds after I accepted the settings a screen appeared. “Congratulations, your iPhone is unlocked,” it read.
I ejected the phone, adjusted the brightness of the display and walked into the living room to where my girlfriend sat on the couch, typing on her MacBook.
“Here’s your iPhone,” I said, handing the device to her.
She stood and embraced me. A breeze came through the window
