In today's digital age, mobile devices such as cellphones, laptops, tablets and even smartwatches are commonplace in modern work environments. Even healthcare, a notoriously outdated industry, has begun adopting the use of mobile devices. Considering the usability of mobile devices, their increased use is not surprising. Smartphones, for example, are convenient in their portability and efficient in their productivity. We're no longer bound to an office or a desk to get work done.
However, utilizing mobile devices does come with some risks, especially if you are a healthcare organization. A compromised mobile device includes the data stored inside, such as electronically transmitted PHI (ePHI) that has been created, sent or received. If you are a HIPAA regulated industry, you must include mobile devices in your enterprise-wide risk analysis. Be sure to train your staff on precautionary measures for mobile devices to reduce the risk of a HIPAA violation.
The risks of mobile devices containing or accessing ePHI
Take a look around you. Odds are, you have a mobile device inches away from you. If you don't have a mobile device near you, do you remember where you put it? One risk of storing ePHI on mobile devices is the fact that they are small and portable. Due to their small size, mobile devices are easier to steal or lose. If your mobile device becomes lost or stolen and you have unsecured ePHI stored on it, you are in major risk of a HIPAA violation. You need to take immediate precautionary measures to avoid being cited for a costly fine.
Personal mobile devices versus work mobile devices
Your organization must clarify if personal mobile devices can be used for work activities - especially if the work activities contain PHI. If this is prohibited, your organization must implement policies to enforce this rule. For Covered Entities and Business Associates that do allow the use of personal mobile devices to store or access ePHI, these devices must be included in their enterprise-wide risk analysis. Furthermore, security measures must be in place to reduce risks of a HIPAA breach and enhance mobile security.
Configure mobile settings accordingly
One example of a proper security measure is modifying the mobile devices' default settings. Similar to computer systems, mobile devices are programmed with default settings. These default settings are often unsecure, such as connecting to unsecure Wi-Fi, Bluetooth, cloud storage, or file sharing network services. To resolve this security issue, organizations must ensure that mobile devices are properly configured and secured prior to receiving, maintaining, creating or transmitting ePHI.
Train employees in best security practices
Fully secure mobile devices go beyond setting the proper security settings. Employees should be trained in securely operating a mobile device to ensure the employee handling the ePHI on their mobile device remains HIPAA compliant. This includes being aware of the dangers of an unprotected Wi-Fi network, such as public Wi-Fi found in airports or coffee shops, and unprotected cloud storage and file sharing services. Employees should also be fully trained on what steps to take if their mobile device becomes infected with viruses or malware. Just like any other compute system, malicious software on an infected mobile device can grant cybercriminals access to sensitive information. This hacked data would result in a HIPAA breach. A data breach can also stem from a seemingly harmless mobile app. Some mobile apps request access to contacts, pictures, messages, and other information on your mobile device. The app then sends this data to an external entity, often without notice. To prevent any data breaches and HIPAA violations from occurring, be sure to regularly review the security of mobile devices and adjust the security measures accordingly. As a covered entity or business associate, you are required by federal law to ensure that ePHI remains protected.
How to protect and secure PHI on a mobile device
In October 2017, the HHS released a series of tips to follow to protect PHI on a mobile device:
- Implement policies and procedures regarding the use of mobile devices at work – especially when used to create, receive, maintain, or transmit ePHI.
- Consider using Mobile Device Management (MDM) software to manage and secure mobile devices.
- Install or enable the automatic lock/logoff functionality.
- Require authentication to use or unlock mobile devices.
- Regularly install security patches and updates.
- Install or enable encryption, anti-virus/anti-malware software, and remote wipe capabilities.
- Use a privacy screen to prevent people close by from reading information on your screen.
- Use only secure Wi-Fi connections.
- Utilize a secure Virtual Private Network (VPN).
- Reduce risks posed by third-party apps by prohibiting the downloading of third-party apps, using whitelisting to allow installation of only approved apps, securely separating ePHI from apps, and verifying that apps only have the minimum necessary permissions required.
- Securely delete all PHI stored on a mobile device before discarding or reusing the mobile device.
- Include training on how to securely use mobile devices in workforce training programs.
With these precautionary measures in place, you will help keep your protect patient information safe while remaining HIPAA compliant.