Keeping ePHI Data Secure On Mobile Devices
By Ken Lynch, founder and CEO, Reciprocity Labs.
Healthcare providers are among the long list of service providers that have embraced the mobile technology revolution. Some healthcare providers are supplying mobile healthcare devices to their staff, and others have introduced the Bring Your Own Device (BYOD) program that allows their staff to bring their devices and use them at work. Whichever the case, mobile technology enables staff to work remotely, which presents several benefits to healthcare providers.
Risks Associated with Use of Mobile Devices for PHI
While there’s no denying that mobile technology has revolutionized how people work, healthcare providers cannot turn a blind eye on the risks that come with the use of mobile devices. Owing to their small size and portability, mobile devices are at a greater risk of being stolen or lost compared to their immobile/fixed counterparts.
In the unfortunate event that a mobile device containing unsecured electronic protected health information (ePHI) is lost or stolen, there’s an increased risk of a data breach that can trigger HIPAA breach notification obligations for a HIPPA-covered entity and/or their business associates.
HIPAA Standards for Securing ePHI Data Secure on Mobile Devices
The HIPAA in 1996 mandated the Secretary of the U.S. Department of Health and Human Services to come up with regulations that would protect the security and privacy of certain health information in the year 1996. In compliance with this requirement, HHS published the HIPAA Security Rule and the HIPAA Privacy Rule.
The HIPAA Privacy Rule establishes national standards for the protection of individually identifiable health information that can be linked to a particular person. The HIPAA Security Rule, on the other hand, establishes national standards for protecting ePHI, particularly how it’s transmitted, maintained, or stored.
For your healthcare facility to be HIPAA-compliant, you must fulfill specific requirements. For the most part, you must ensure that physical, administration, and technical safeguards are put in place and adhered to, as follows:
Require User Authentication
User authentication is the process of verifying the identity of a user before accessing a mobile device and the information stored in it. One of the ways to secure ePHI is to ensure that mobile devices are configured to require user passwords, passcodes, or personal identification number (PIN) to gain access. Doing so can help to prevent unauthorized users from gaining access to devices, which can help to restrict access to ePHI.
It’s vital that you buy and install an encryption tool for mobile devices that are used to access ePHI. In the event that any of the devices is stolen or lost, encryption makes it impossible to read the information stored on the device. With some devices, it is recommended to enable encryption on device backups as well.
Update Your Security Software Regularly
Hackers usually take advantage of vulnerabilities in common applications such as browsers and operating systems. To keep your network safe, it’s vital that you keep your security software and operating systems up to date. By doing so, you’ll also prevent unauthorized access to ePHI on or through your mobile devices.
Here are some of the physical safeguards to adhere to:
- You must implement facility access controls to limit access to facilities where ePHI is stored.
- You must implement policies that restrict the use of workstations.
- You must implement policies and procedures o manage how ePHI is removed from mobile devices after a user leaves the organization.
- You must maintain an inventory of all hardware before its relocated, and a retrievable precise copy of ePHI must be made before the move.
- You must conduct risk assessments to establish ways in which breaches of ePHI can occur.
- You must introduce a risk management policy to ensure employees comply with HIPAA regulations.
- You must train employees to raise awareness of the policies and procedures governing ePHI.
- You must develop a contingency plan that can be rolled out in case of an emergency.
- You must restrict 3rd-party access to ePHI.
- You must report any security incidents once they occur.
Besides adhering to the above HIPAA requirements for compliance, there are various other best practices for keeping ePHI data secure on mobile devices. They include:
- Install and activate remote disabling and/or remote wiping to ensure that all ePHI is removed from the device in case it is stolen or lost.
- Avoid using file-sharing applications and make use of MDM software that helps to containerize ePHI and prevents data copy.
- Research mobile applications thoroughly before downloading.
- Avoid using public Wi-Fi network when sending and receiving ePHI and only use a Virtual Private Network instead.
The implementation of mobile devices will undoubtedly add a lot of value to your organization on the condition that the proper balance between usability and security is achieved. Taking the right measures to keep ePHI data secure shouldn’t be a matter of meeting compliance only. It should also be a matter of safeguarding the integrity of your patients and your organization at large.