- More healthcare organizations are utilizing smart phones, laptops, and tablets for daily operations, but failing to include these devices in an enterprise-wide risk analysis could lead to mobile device security issues.
Entities need to maintain ePHI security and understanding the potential risks associated with mobile devices is a key part of that, OCR stressed in its recent cybersecurity newsletter.
“Due to their small size and portability, mobile devices are at a greater risk of being lost or stolen,” stated the OCR October newsletter. “A lost or stolen mobile device containing unsecured ePHI can lead to a breach of that ePHI which could trigger HIPAA breach notification obligations for a HIPAA covered entity or its business associate (the entity). Additional risks could arise when using personal mobile devices to store or access ePHI.”
More potential security risks arise when ePHI is actually stored on mobile devices, OCR added. All company policies need to be clearly established and part of the employee training process to ensure that staff members at all levels know how to maintain ePHI security on mobile devices.
“Entities permitting the use of personal mobile devices must include such devices in their enterprise-wide risk analysis and implement security measures sufficient to reduce those risks to a reasonable and appropriate level,” OCR said.
Organizations should also be aware of device default settings, as they can often be less secure. For example, Wi-Fi, Bluetooth, cloud storage, or file sharing network services may be unsecured for their default setting. Mobile devices must be “properly configured and secured before allowing the device to create, receive, maintain, or transmit ePHI,” the agency advised.
Employee training also needs to include discussions on virus and malware. Individuals must understand that malicious software can also wreak havoc on mobile devices, just as with a desktop computer.
“Access to information on mobile devices need not be limited to nefarious actions by malicious software, but could also originate from more mundane applications,” OCR warned. “A seemingly innocuous mobile app or game could access your contacts, pictures or other information on your mobile device and send such data to an external entity without your knowledge.”
OCR also suggested that covered entities consider using Mobile Device Management (MDM) software to manage and secure mobile devices. MDM can include OS configuration, device provisioning, and remote access for troubleshooting.
Essentially, organizations need to ensure that their HIPAA technical safeguards account for mobile device security. For example, automatic lock/logoff functionality, authentication to use or unlock mobile devices, and regular security patches and updates will be critical for keeping ePHI secure on mobile devices.
Data encryption, anti-virus/anti-malware software, and remote wipe capabilities should also be key considerations, OCR stated.
The HIPAA Security Rule does not outline specific technical safeguards for organizations, but instead states that these safeguards are “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”
Entities need to utilize technical measures that are applicable to their organization and its daily operations. If a small practice does not have a BYOD policy, and its doctors do not use smart phones or tablets for patient care, then that practice will likely not need to consider remote wipe capabilities on physicians’ phones.
OCR also listed the following tips for ensuring mobile device security:
- Use a privacy screen to prevent people close by from reading information on your screen
- Use only secure Wi-Fi connections
- Use a secure Virtual Private Network (VPN)
- Reduce risks posed by third-party apps by prohibiting the downloading of third-party apps, using whitelisting to allow installation of only approved apps, securely separating ePHI from apps, and verifying that apps only have the minimum necessary permissions required
- Securely delete all PHI stored on a mobile device before discarding or reusing the mobile device
Covered entities and their business associates can greatly benefit from using mobile devices. However, organizations must also understand that potential risk factors will arise along with the convenience of quickly accessing data from anywhere.
Implementing necessary and applicable policies and procedures for mobile device security, and then instilling those policies and procedures into regular workforce training will be essential for maintaining ePHI security.