Healthcare Information Security

Mobile News

How Improper Off-Site Policies Impact Mobile Health Security

A recent study found that only about one-third of organizations have data security policies for off-site work, which indicates that mobile health security may be at risk.

By Jacqueline Belliveau

- For many providers, quality healthcare extends beyond the hospital walls, especially with the introduction of smart phones and mHealth technologies. However, as more healthcare organizations adopt mobile strategies, providers are becoming more concerned about mobile health security.

Mobile health security affected by lack of off-site policies

As the annual Shred-It State of the Industry report showed, most organizations across all industries are struggling to implement proper mobile security policies that robustly protect confidential information.

Only 31 percent of C-Suite executives and 32 percent of small business owners surveyed stated that their organization had an information security policy for both off-site work environments and flexible working areas.

“Without ongoing training and comprehensive policies for remote and flexible workplaces, businesses are at risk,” said Shred-It Global Director Andrew Lenardon. “Although employees want increased flexibility and the ability to work remotely, business leaders must ensure that the right information security and training protocols are in place to protect confidential customer and business data.”

With more companies allowing employees to go virtual, researchers anticipate the US to have 105 million mobile workers by 2020. As some workplaces implement mobile work policies, companies are facing many mobile security challenges.

The survey reported that 92 percent of C-suite executives and 58 percent of small business owners allow some employees to work on a flexible or off-site location.

Despite the popularity of mobile work models, the majority of participants did not have comprehensive mobile security strategies to secure customer and business data, especially with legacy devices.

Legacy hardware, or devices that are no longer in use, are a major risk for theft and inadvertent exposure of data. Yet, only about half of the C-suite respondents reported that their organization used a professional destruction service to eliminate legacy devices, which is a well-known best practice.

Small businesses fared even worse with legacy hardware. Thirty-seven percent of participants stated that their organizations wiped or degaussed legacy devices on-site, which increased the likelihood of disclosing confidential information when the device was reused.

Furthermore, many participants failed to regularly dispose of mobile devices containing protected data. While 76 percent of executives explained that their businesses destroyed hardware every two to three months, 60 percent of small business owners performed this best practice once a year or never.

“The only proper way to protect information is to physically destroy the hard drive - simply wiping the device does not ensure sensitive information is completely removed,” stated Lenardon. “Implementing security policies that address how digital devices are stored and destroyed is vital for any sized organization to help address the additional risks associated with mobile working.”

Additionally, researchers found that data security for paper documents has decreased since last year. About 46 percent of C-Suite leaders admitted to implementing policies for eliminating confidential documents that applied to all employees, which represents a 17 percent decrease from 2015.

For healthcare organizations, mobile health methods are not just about doing business outside of traditional care facilities. Many providers use end-point devices or web-based tools to deliver quality care, contact patients and other employees, store PHI, and engage patients.

However, mobile security has not improved as quickly as the technology. A recent study from BMC Medicine found that 66 percent of mHealth apps that sent identifying information over the Internet did not use encryption and 20 percent did not implement a privacy policy.

Another report discovered that the majority of healthcare organizations are not using a HIPAA compliant secure messaging platform.

Healthcare mobile security can also be more complicated than the average non-IT employee may realize.  Just by receiving a call, text, or email with healthcare data to a phone can cause the information to be automatically uploaded to a cloud platform or other connected devices, explained CellTrust Assistant General Counsel Vice President K Royal to

The Shred-It study advised that companies enforce mobile security guidelines, such as limiting what documents can leave the office, encrypting all phones and hard drives, implementing passwords on electronic devices, regularly disposing of legacy hardware, employing third-party providers to destroy inactive devices, and providing on-going employee training.

Specifically, healthcare organizations should also follow HIPAA rules to further protect mobile devices, including technical safeguards and cybersecurity frameworks.

While many providers are focused on using the latest and greatest technologies to improve care delivery, healthcare organizations must also ensure that new devices are properly secured and follow strict PHI security regulations, whether or not providers are in the hospital or on-the-go.

Dig Deeper:

What Are Top Mobile Health Security Concerns in 2016?

Top Tips for Creating a More Secure Mobile Healthcare Worker


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks