Patient data is in jeopardy when mobile devices aren't secure.
Patient data is in jeopardy when mobile devices aren't secure. Mobile devices aren’t just for personal use anymore; both company-issued and personal devices are used at the enterprise level to conduct company business in all sectors–healthcare included. A person would be hard pressed not to find smartphones, tablets, and laptops in every healthcare facility in the nation.
I am regularly asked if HIPAA permits the use of mobile devices in a working healthcare setting. The Department of Health and Human Services (HHS), in FAQ 2801, states that mobile devices can be used, “as long as appropriate physical, administrative, and technical safeguards are in place to protect the confidentiality, integrity, and availability of the ePHI.”
Before we get to the steps you can take to secure mobile devices, let’s discuss the policy behind mobile device use in your organization. This should be a conscious decision that is well documented and included in your risk assessment. Ask the following questions:
Make sure you address the question of workforce members using their personal mobile devices to access ePHI. With their associated higher risks, you must be prepared to implement adequate security measures related to personal mobile devices.
Once your policies have been defined, any mobile devices used to access ePHI must be secured. The Office of the National Coordinator for Health Information Technology (ONC) offers excellent advice for securing mobile devices on the HealthIT.gov site. I’ll list their main points here and expand on them with practical details.
Passwords, pin codes, fingerprints, facial recognition--there are many ways to secure a mobile device. It’s important not to leave a mobile device open for anyone to use it because mobile devices are relatively easy to steal. You want to make sure that if a device walks away, it can’t be accessed.
A password alone won’t protect information on a mobile device if that device is in the hands of someone with the right tools and knowledge set. Encryption will ensure that even if a malicious actor accesses a mobile device, they won’t be able to use ePHI stored on the device.
Expect that mobile devices will be stolen or lost. As careful as their users might be, the highly portable nature of mobile devices means that theft or loss is very difficult to avoid. Remote wiping, disabling, or both can offer peace of mind if the worst happens.
File sharing applications open up mobile devices to attack by malicious software. They can also offer malicious users a way to access your mobile device without authorization.
Personal firewalls on mobile devices can restrict malicious traffic, but only if they are configured properly. As you install and enable security controls, take the time to understand what protections are offered by various configuration settings.
Security software typically protects against various types of malware, such as viruses and ransomware. Security software is available for all types of mobile devices, including smartphones.
See also: SecurityMetrics HIPAA Guide
Security software needs to be kept up to date to stay ahead of the ever-evolving threat landscape. Likewise, security updates that are released for operating systems and other types of software are necessary because they are usually released to mitigate the risks associated with newly discovered vulnerabilities. Staying on top of security updates is my top priority for most organizations.
Every application installed on a mobile device increases the potential for introducing vulnerabilities to that device. If an application isn’t required for an approved business function, it should not be installed. All applications should be approved before use.
As mentioned earlier, mobile devices are prone to theft and loss. Include physical control concerns in your risk assessments so you can put security controls in place that mitigate physical security concerns in your organization. Make sure you train workforce members in proper physical security procedures.
Public Wi-Fi is notoriously vulnerable to attack. Consider restricting mobile devices for use only on secure Wi-Fi networks.
Ideally, you should never store ePHI on mobile devices. There are many options for using mobile devices to access ePHI that is located on a secure server without having to download it to the device. However, if your organization’s policies allow ePHI to be downloaded onto mobile devices, you must have policies and procedures in place to securely delete that data at appropriate intervals and prior to discarding or reusing the device.
Keep in mind that security controls are better when they are centrally managed because you can ensure consistency and have a single place to evaluate devices for potential vulnerabilities.
Once you have the basics in place, consider going further with your security controls. The National Institute of Standards and Technology (NIST) has released the following guidelines that can be used to secure patient information on mobile devices:
.svg)
