What is the best HIPAA mobile device policy?


There has been a huge rise in the number of healthcare workers and other HIPAA-covered entities relying on mobile technology in their day-to-day lives. This rise has seen an increasing use of smartphones, tablets and other portable devices in hospitals, clinics and other places of work. These technological advances have allowed for increased efficiency and improvements in patient care. However, the use of mobile devices brings new issues in data security. If security measures are insufficient, covered entities are at risk of violating HIPAA regulations. If that occurs, heavy fines can follow.

Mobile Devices and the Healthcare Industry

Many healthcare organizations choose to leverage the benefits of mobile devices, while keeping costs to a minimum. Bring Your Own Device (BYOD) schemes are introduced that permit physicians, nurses and other healthcare workers to bring their own personal devices and use them at work. Up to 80% of healthcare professionals now claim that they are reliant on such devices to complete tasks in the workplace in an efficient manner. Other opt to supply mobile healthcare devices to the staff; while more expensive, it is easier to maintain control and protect their networks from unauthorized data breaches.

Any HIPAA covered entity that chooses to use mobile devices in the workplace must implement several controls to protect any patient health data that can be accessed through the device, stored on it, or transmitted by it to another mobile device.

Mobile Devices and HIPAA Violations

Mobile healthcare devices are a convenient of improving patient care, but many risks are associated with their use. With hundreds or thousands of mobile devices now requiring access to a healthcare network, it is no surprise that mobile data security and HIPAA compliance have become two of the biggest concerns for CIOs, CISOs, Compliance Officers and health IT professionals and the integrity of thousands of patient’s PHI is at risk of a breach.

Furthermore, even if secure messaging software is downloaded onto the mobile devices, there is considerable potential for the users of those devices to violate HIPAA rules or company policies. Without adequate controls, devices could be compromised, and the electronic Protected Health Information (ePHI) stored on them exposed. There is also considerable potential for Smartphones, tablets and laptops to be targeted by cybercriminals. They are easy access points into healthcare networks, considerable action must be taken by covered entities to ensure that the devices have the appropriate measures installed to ensure that this does not happen.

Mobile healthcare devices often lack robust security controls, and as the devices are used to connect to networks via public Wi-Fi, there is potential for hacking through these unsecure networks. There is always the potential for theft or loss through human error. If patient privacy violations and HIPAA penalties are to be avoided, it is essential that mobile data security risks are thoroughly assessed and addressed.

Mobile Data Security: HIPAA Compliance Basics

One of the main aims of HIPAA legislation is to protect the privacy of patients and health plan members. HIPAA regulations force healthcare organizations and individual care providers to adopt a minimum set of standards to protect the privacy of patients and keep data secure, lest they wish to incur hefty fines or even jail terms in the most serious of cases.

Fines of up to $1.5 million – per violation category, per year that the violation has been allowed to persist – can be issued by the Department of Health and Human Services’ Office for Civil Rights (OCR). Recently, state attorney generals were given the power to prosecute CEs if they failed to comply with HIPAA regulations. There is also the considerable cost of a breach response to cover if data is potentially exposed.

HIPAA Security Rule: Risk Assessments

The HIPAA Security Rule makes mandatory the performance of a risk assessment when mobile devices are used to transmit patient ePHI. It is possible to construct robust security defences by incorporating all the standard defence measures: Firewalls, anti-virus protection, anti-malware programs, authentication and password controls.  However, unless a full risk assessment has been conducted, it is impossible to know whether security vulnerabilities remain despite the actions taken by the CE.

A risk assessment must cover the entire IT infrastructure; company policies; administrative processes; physical security controls, and all systems and equipment capable of storing, transmitting or touching ePHI. The HHS offers a risk assessment tool to assist in this process, and to ensure a thorough and efficient risk assessment is performed.

As hackers find new ways to exploit networks and mobile devices to steal data, healthcare organizations must work at maintaining and improving security defences. They must address new vulnerabilities that are inadvertently introduced, or develop over time as equipment and software ages. Risk assessments must therefore be conducted regularly to comply with HIPAA.

Technical Safeguards for Mobile Devices

In the HHS’ HIPAA Security Series Guidelines, covered entities are informed that they “must consider the use of encryption for transmitting ePHI, particularly over the Internet.” HIPAA-covered entities are further required to “Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.”

It is not mandatory to encrypt data at rest. However, the advice given in the HHS Security guidelines regarding data in motion states “As business practices and technology change, situations may arise where ePHI being transmitted from a covered entity would be at significant risk of being accessed by unauthorized entities.”

The HHS Guidelines go on to say, “Where risk analysis shows such risk to be significant, a covered entity must encrypt those transmissions under the addressable implementation specification for encryption.”

If covered entities allow the transmission of ePHI over an open network, such as via SMS messages, this would violate HIPAA rules as this is not deemed sufficiently secure. There is considerable potential for ePHI being intercepted by unauthorized individuals. To avoid a HIPAA violation and reduce the probability of a data breach, ePHI should only be transmitted via a secure channel with end to end encryption.

Data Access, Integrity and Audit Controls for Mobile Devices

HIPAA requires covered entities “to implement technical policies and procedures that allow only authorized persons to access Protected Health Information.” If mobile devices are used to access, store or transmit ePHI, they must have access controls in place to authenticate the user. Multi-layered security controls should be implemented to reduce the risk of unauthorized data access.

Any data stored on a mobile device – or transmitted by it – must have protections in place to ensure the data cannot be altered or destroyed. Further controls must be implemented to allow for the devices to be audited. It must be possible to examine access to ePHI (and attempted access attempts), and any other activity performed on the device that has potential to affect data security.

Provided the appropriate security controls are put in place, the use of mobile devices in healthcare has huge potential to improve efficiency, productivity, reduce operational costs, as well as improve patient outcomes. Secure messaging systems have seen a great deal of investment in recent years, and have huge potential to offer cheap and facile solutions to difficulties that CEs may have with complying with the HIPAA Security Rules.