- Strong health data security is vital for electronic media and mobile devices that process and/or store ePHI, stressed OCR in its August 2018 Cyber Security Newsletter.
“Anyone with physical access to such devices and media, including malicious actors, potentially has the ability to change configurations, install malicious programs, change information, or access sensitive information – any of these actions has the potential to adversely affect the confidentiality, integrity, or availability of PHI,” warned OCR.
HIPAA covered entities and business associates are required to implement policies and procedures to limit physical access to electronic media and mobile devices as well as to track movement of these devices into, out of, and within a facility.
OCR recommended that healthcare organizations ask the following questions when developing policies and procedures for electronic media and mobile devices:
- Is there a record that tracks the location, movement, modifications or repairs, and disposition of devices and media throughout their lifecycles?
- Does the organization’s record of device and media movement include the person(s) responsible for such devices and media?
- Are workforce members (including management) trained on the proper use and handling of devices and media to safeguard ePHI?
- Are appropriate technical controls, for example, access controls, audit controls, and encryption, in use?
The questions regarding technical controls can be particularly important to avoiding HIPAA fines. OCR levied $4.3 million in fines against Texas-based MD Anderson Cancer Center (MD Anderson) for failing to encrypt its inventory of devices that processed and stored ePHI.
This failure, OCR alleged, resulted in the exposure of ePHI on more than 33,500 individuals when an unencrypted laptop was stolen and two thumb drives were lost. MD Anderson challenged the fines, but an HHS Administrative Law Judge recently upheld them.
OCR noted that organizations can use a variety of methods to govern and track the movement of electronic media and mobile devices.
Smaller healthcare organizations can use manual processes, while larger organizations might require specialized inventory management software and databases. Inventory management products can be used in conjunction with a bar-code system or RFID tages to organize and identify electronic media and mobile devices.
OCR advised healthcare organizations and business associates to consider the following factors in deciding what security measures to implement for their electronic media and mobile devices: size, complexity, and capabilities; technical infrastructure, hardware, and software security capabilities; costs of security measures; and probability and criticality of potential risks to ePHI.
HIPAA requires covered entities and business associates to ensure that ePHI-laden devices and media scheduled for redeployment or final disposition undergo reuse or disposal processes to ensure ePHI cannot be retrieved.
In addition, HIPAA requires covered entities and business associates to have a security management process in place which includes conducting a risk analysis and implementing a risk management process to reduce risks and vulnerabilities.
OCR explained that asset inventory and tracking can help organizations identify, analyze, and manage the risks associated with devices and media used within their environment. This can help them to comply with the HIPAA risk analysis and risk management requirements.
In addition, device and media controls can also help organizations respond to and recover from security incidents and breaches. Tracking and controls may enable organizations to identify what devices and media may be affected by a security incident or breach and respond appropriately.
“For example, if hackers gained access to an organization’s network by exploiting a vulnerability present in a particular electronic device, or if a particular type of electronic media was identified to include malicious software, a robust and accurate inventory and tracking process could identify how many devices or media are affected and where they are located,” OCR related.
Armed with this information, a covered entity or business associate can make better use of resources and respond quick to a security incidents or breach involving electronic media or mobile devices, OCR concluded.