With mobile devices quickly becoming an integral part of daily operations at more healthcare organizations, both covered entities and their business associates need to ensure that they fully comprehend BYOD security and overall healthcare mobile security.
Moreover, organizations must understand which options are applicable to their daily needs when it comes to keeping mobile devices, such as laptops, smartphones, and tablets secure. Facilities should also be knowledgeable on any recent changes made at the federal level designed to assist healthcare organizations through the implementation process.
For example, the HIPAA Security Rule does not require specific technology solutions when it comes to technical safeguards for mobile devices. However, HHS does require organizations to implement reasonable and appropriate security measures for standard operating procedures.
“HHS recognizes that covered entities range from the smallest provider to the largest, multi-state health plan,” HHS explains on its site. “Therefore the Security Rule is flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments. What is appropriate for a particular covered entity will depend on the nature of the covered entity’s business, as well as the covered entity’s size and resources.”
For example, a small healthcare provider with less than 12 doctors and nurses may not allow employees to use their own mobile devices. Therefore, this clinic might not need to implement health data encryption on its devices. The entity may instead want to focus on firewalls and multi-factor authentication for its technical safeguards.
Either way, covered entities must “implement technical policies and procedures that allow only authorized persons to access” ePHI. This will limit who is accessing sensitive information. The same applies to mobile device usage.
Furthermore, hardware, software, and/or procedural mechanisms must be implemented to record and examine access and other activity in information systems that contain or use ePHI.
What is healthcare secure messaging, texting?
Healthcare secure messaging is similar to email, as it is an electronic form of communication. However, there are typically extra security measures to ensure that PHI stays secure. Patients can communicate with their providers, and there can also be provider-to-provider messaging.
Healthcare secure texting is a more secure version of SMS texting. This gives healthcare organizations the ability to communicate sensitive information - such as patient PHI - quickly and securely.
Recently, the Joint Commission on Accreditation of Healthcare (JCAHO) even lifted its ban on using secure texting for physician orders, which created even more potential uses for this type of communication. This had previously been prohibited because of concern over potentially unsecured text messages between providers, according to the commission.
“In addition, texting applications were unable to verify the identity of the person sending the text or to retain the original message as validation of the information entered into the medical record,” the commission wrote. “At the time, the technology available could not provide the safety and security necessary to adequately support the use of text messaging for orders.”
Healthcare secure messaging has become an increasingly popular tool for providers. The Office of the National Coordinator for Health Information Technology (ONC) explained in a data brief that secure messaging use increased 30 percent from 2013 to 2014. In fact, 52 percent of physicians said they exchanged secure messages in 2014.
This practice is also increasingly being used for patient communication. ONC found that 51 percent of hospitals in 2014 allowed their patients to send and receive secure messages. Between 2013 and 2014, more hospitals provided patients with the capability to electronically view, download, and transmit their health information. Just 10 percent of hospitals provided this option in 2013, while 64 percent of hospitals provided it last year.
- Is Healthcare Secure Messaging Necessary for Providers?
- Are Secure Patient Portals a Necessary Step for Providers?
What is BYOD and its potential benefits?
Bring your own device (BYOD) is another important aspect of healthcare mobile security. BYOD is where organizations allow employees to use their personal devices for work purposes. This could include smartphones, tablets, or even laptop computers.
BYOD security needs to be a top priority, and staff members at all levels need to be regularly educated and trained on how to ensure that sensitive information, including patient PHI, is not compromised.
For example, as part of a BYOD policy, a healthcare provider may want to implement a mobile device management (MDM) strategy. This can assist help organizations control their PHI at all times and provide secure client applications, such as email and web browsers. MDM policies can also include remote wipe capability, which could be beneficial should a device become lost or stolen.
“Doctors are actually getting health information via emails and opening them on their cell phones,” attorney K Royal told HealthITSecurity.com. “It may be automatically uploaded to a cloud platform. It starts getting really complicated and really broad when you start looking at how many different ways mobile devices can impact medical care. Both for good and for bad.”
A device should also not be considered lost from the time that it is reported missing, added Royal. A phone or tablet should be considered lost from the last time that an employee absolutely remembers having it in his or her possession.
Healthcare mobile security concerns could also prevent some organizations from choosing to implement BYOD strategies in the first place. A Bitglass survey found that 40 percent of security administrators chose not to participate in the same mobile policies that they enforce for their company.
Furthermore, 78 percent of employees reported they are not likely to participate in a BYOD program if their employer can view personal applications/locations. Sixty-four percent of those surveys explained they would not participate in a work BYOD program if their employer can wipe their personal mobile device to protect their proprietary information if they leave the organization.
“Personal privacy issues, changes to the user experience, and complicated deployments have slowed down BYOD adoption, causing many to question BYOD’s future,” the report’s authors stated. “In order to meet the needs of both IT security and employee needs, ensuring secure, widespread adoption of BYOD in the enterprise, it’s time to for a data-centric approach to mobile security.”
- Creating Secure Healthcare BYOD Environments, Communication
- How BYOD Mobile Security is Prioritized at OhioHealth
What are the potential healthcare mobile security risks?
As previously mentioned, one of the larger healthcare mobile security risks is that a mobile device could be lost or stolen. If the device has PHI stored on it, then a healthcare organization could be faced with a data breach.
Theft is commonly one of the top reasons for a healthcare data breach, according to the OCR data breach reporting tool.
This why physical safeguards will also be a key component to maintaining strong mobile security measures. These are the “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion,” according to HHS.
Along with passwords or encryption options on devices, covered entities need to ensure that the device itself cannot be easily stolen, lost or inappropriately accessed.
Workstation use and device security are one of the key components of physical safeguards.
Organizations “must implement policies and procedures to specify proper use of and access to workstations and electronic media,” and have the necessary policies and procedures “regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information.”
- A Review of Common HIPAA Physical Safeguards
- Top 5 Healthcare Data Breaches in 2016 Not From Hacking