Mobile Device Security: 5 Best Practices to Avoid HIPAA Violations

Mobile devices have become a vital part of the healthcare process. Studies show 84% of physicians are using smartphones for professional purposes. However, the increased use of these devices in medical practices may be placing patient data a risk.

Devices such as smartphones, tablets, USB (thumb) drives, and laptops used in a practice can contain protected health information (PHI). Even the simple act of checking your email on a smartphone could expose PHI, and result in a HIPAA violation.

Even worse, losing your device can result in a devastating breach. In fact, lost and stolen devices are the #1 reason for patient data breaches of more than 500 records.

HIPAA and Mobile Devices

Reading test results, confirming patient appointment via text message, and viewing x-rays are just a few of the ways healthcare providers are using mobile devices in their practices. While HIPAA regulations do not specifically spell out guidelines for mobile device use, they do specify how PHI must be protected.

The HIPAA Security Rule requires “appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.”

Administrative: Over half of the HIPAA security rules are related to Administrative Safeguards. These safeguards allow a healthcare organization to define the policies and procedures around their PHI data. For example, how often does the practice review system activity, mobile policies and monitoring of risks.

Physical: Securing the environment where PHI data is stored is critical to the overall security strategy. Beyond just locks for doors and windows its Identifying potential facility risks that could interrupt business continuity such as a natural disaster. Also, physical safeguards would include knowing what systems, mobile devices and smartphones are connected to the network.

Technical: Developing, implementing and enforcing technical safeguards has never been more critical. With the rapid increase of malware and ransomware targeting healthcare, there is no room for errors in oversight. Protecting mobile devices from being compromised, and protecting the PHI data residing on those devices needs to be urgently addressed.

Policies and Procedures

The Office of the National Coordinator for Health Information Technology outlines a five-step process for healthcare providers to manage mobile devices. It includes the following:

  1. Decide
    Decide if mobile devices will be used and given access to your network/EHR system. Define how they will be used in the flow of PHI; will they have a dual purpose for healthcare related work and personal usage? Do you allow remote access to PHI? Do files such as patient images stay on the phone, iPad or laptop and get backed up?
  2. Assess
    Examine the risk (threats and vulnerabilities) mobile devices pose to your organization. Will they leave the healthcare environment? Can they connect to public WiFi networks which innately have a higher security risk?
  3. Identify
    Create a mobile device risk management strategy that includes privacy and security safeguards. Are these devices being monitored for security breaches? If so, who gets breach alerts and notifications of the health status?
  4. Develop, Document, and Implement
    Develop, document, and implement mobile device security policies and procedures. Be sure to identify security from complex passwords to encryption, and know how to react if there is a compromise.
  5. Train
    Conduct mobile device security training for staff. Make sure they understand the risks associated with connecting to different networks, such as public networks at coffee shops or even the guest networks within a hospital.

To learn more about Mobile Device and Health Information Privacy and Security, visit The U.S. Department of Health and Human Services Privacy and Security website for videos, FAQ’s, case studies and more.

Device Security Best Practices

  1. Enable user authentication
    Healthcare providers should use any and all available methods (passcodes, biometrics, etc.) to lock the device, ensuring only authorized users can gain access. Four-digit passcodes are better than nothing; however, a more secure option is to bypass the typical four-digit code via device settings and implement an eight-character password. How often are passwords changed? Define a number of failed login attempts before data is remotely wiped on mobile devices. Determine a session timeout length where the mobile devices locks after a defined amount of time not in use.
  2. Employ encryption
    HIPAA requires healthcare entities to implement a method to encrypt and decrypt electronic PHI. Protect information stored on and sent by mobile devices with either built-in or add on encryption tools.
  3. Activate remote lock and wipe capabilities
    In the event that a device is lost or stolen, you have the ability to immediately remove all data from the device or lock it after an excessive number of incorrect login attempts. If your iOS device, Apple Watch, or Mac is lost or stolen, you can erase it if you set up Find My iPhone on the device before it was lost. For Android devices you can manage your device here.
  4. Update software regularly
    It only takes one vulnerability in a completely unrelated app to allow a hacker to access your device, and expose PHI. Timely updates to both operating systems and apps will help eliminate any software or hardware vulnerabilities. Approval of apps for mobile devices and smartphones should be closely monitored and always updated.
  5. Frequent employee training
    Set it and forget it is NOT a good rule of thumb for HIPAA policies. Ensure your practice holds regular policy and procedure training to help your employees understand and follow proper HIPAA guidelines when using mobile devices.

HIPAA Violation in Action

Smartphones can benefit healthcare professionals in many ways—data capture and efficiency of care included. However, they can have significant security ramifications if not managed correctly. For example: A physician using a personal iPhone to dictate procedures, patient exams, and before and after photos.

Since the phone was linked to the family iCloud account, a family member accessed the account to watch a movie on his friends Apple TV. After the movie, they left the room without turning off the TV. After the Apple TV was idle for a period of time, it initiated a setting to rotate pictures from iCloud as an active screensaver. Much to everyone’s surprise, as they entered the room they were confronted with very graphic pictures.

From a HIPAA standpoint this is a clear violation. However, this is also a good lesson on why it is so important to separate personal devices from healthcare workflow. As a side note, backing up iPhone or iPad data to iCloud is not a HIPAA compliant solution. Yes you are backing up the patient data, however Apple will not sign a Business Associate agreement with a provider or other covered entity thus breaking the chain of PHI data protection.

Get Help from the Experts

Acting on the above recommendations is just a start. To keep your patients and your practice safe – staying vigilant when it comes to mobile device security is a must. Schedule an IT checkup to see where your organization stands on data security, or talk to our team of experts if you need assistance in any of these area.

 

Recent Posts

Leave a Comment