Some brouhaha has been brewing over how the iPhone addresses encryption with Microsoft Exchange. (See the Article Here on Infoworld). According to InfoWorld, iPhones prior to version 3.1 of the OS did not accurately report whether they supported encryption locally of data stored on the iPhone. For some corporate networks, encryption is mandated for devices controlled by the organization that are connected to their Exchange servers. Apparently, prior to 3.1 of the OS, the iPhone would report that it was encrypted, regardless of whether it was or not, as a way to ensure that the iPhone would connect to the Exchange server.
This fact apparently has some IT and compliance staff in a tizzy, because they may have introduced a number of these devices over blackberrys on the basis that the iPhone would comply with a local encryption policy or organizational requirement. For example, the Health Insurance Portability and Accountability Act (HIPAA) security regulations, in the technical standards, do address the need for encryption of protected health information (PHI) transmitted over networks. For some organizations, in order to simplify regulatory compliance, establishing a universal mandate that there be encryption between devices outside of the corporate LAN and sensitive servers in the LAN may be the most sensible approach. Of course, if we are talking about email, email received and read is generally not encrypted to begin with, whether it is sensitive or not. That’s because most users of email find it too complicated to digitally sign an email with their own personal certificate and ensure that the receiving party had a way to decrypt the message with the typical certificate exchange approach to email encryption.
Microsoft Exchange does allow for the transfer of other information (like calendars and tasks), but I would seriously doubt many health organizations use the Microsoft calendar to manage patient appointments or would be putting PHI into either of these data types. Most of the PHI action in health care facilities is within their charting and practice management systems. Neither usually integrate or are based on Microsoft Exchange. So, to establish a blanket policy requiring that remote devices controlled by the organization be encrypted to connect to corporate resources can be a reasonable approach, but the reality is that HIPAA doesn’t automatically mandate that for iPhones.
There should be a documented risk assessment for iPhones that connect to the corporate network which would evaluate the risk of loss of PHI against the cost of mitigating that by encryption (and perhaps other mechanisms like remote wipe). Encryption should be used if there is a substantial risk of PHI being lost from an iPhone being stolen. But to establish that, the risk analysis would need to evaluate how often these devices are lost per total phones per year, and how many of the lost phones actually had PHI on them. My guess is that the likelihood of this would generally be small for most organizations. The issue, then, is how to make your compliance plan flexible but also enforceable and effective at protecting your PHI. And that, my friends, is the art of information security!