Keeping ePHI Data Secure On Mobile Devices

By Ken Lynch, founder and CEO, Reciprocity Labs.

Ken Lynch

Healthcare providers are among the long list of service providers that have embraced the mobile technology revolution. Some healthcare providers are supplying mobile healthcare devices to their staff, and others have introduced the Bring Your Own Device (BYOD) program that allows their staff to bring their devices and use them at work. Whichever the case, mobile technology enables staff to work remotely, which presents several benefits to healthcare providers.

Risks Associated with Use of Mobile Devices for PHI

While there’s no denying that mobile technology has revolutionized how people work, healthcare providers cannot turn a blind eye on the risks that come with the use of mobile devices. Owing to their small size and portability, mobile devices are at a greater risk of being stolen or lost compared to their immobile/fixed counterparts.

In the unfortunate event that a mobile device containing unsecured electronic protected health information (ePHI) is lost or stolen, there’s an increased risk of a data breach that can trigger HIPAA breach notification obligations for a HIPPA-covered entity and/or their business associates.

HIPAA Standards for Securing ePHI Data Secure on Mobile Devices

The HIPAA in 1996 mandated the Secretary of the U.S. Department of Health and Human Services to come up with regulations that would protect the security and privacy of certain health information in the year 1996. In compliance with this requirement, HHS published the HIPAA Security Rule and the HIPAA Privacy Rule.

The HIPAA Privacy Rule establishes national standards for the protection of individually identifiable health information that can be linked to a particular person. The HIPAA Security Rule, on the other hand, establishes national standards for protecting ePHI, particularly how it’s transmitted, maintained, or stored.

For your healthcare facility to be HIPAA-compliant, you must fulfill specific requirements. For the most part, you must ensure that physical, administration, and technical safeguards are put in place and adhered to, as follows:

Technical Safeguards

Require User Authentication

User authentication is the process of verifying the identity of a user before accessing a mobile device and the information stored in it. One of the ways to secure ePHI is to ensure that mobile devices are configured to require user passwords, passcodes, or personal identification number (PIN) to gain access. Doing so can help to prevent unauthorized users from gaining access to devices, which can help to restrict access to ePHI.

Enable Encryption

It’s vital that you buy and install an encryption tool for mobile devices that are used to access ePHI. In the event that any of the devices is stolen or lost, encryption makes it impossible to read the information stored on the device. With some devices, it is recommended to enable encryption on device backups as well.

Update Your Security Software Regularly

Hackers usually take advantage of vulnerabilities in common applications such as browsers and operating systems. To keep your network safe, it’s vital that you keep your security software and operating systems up to date. By doing so, you’ll also prevent unauthorized access to ePHI on or through your mobile devices.

Physical Safeguards

Here are some of the physical safeguards to adhere to:

Administrative Safeguards

Besides adhering to the above HIPAA requirements for compliance, there are various other best practices for keeping ePHI data secure on mobile devices. They include:

The implementation of mobile devices will undoubtedly add a lot of value to your organization on the condition that the proper balance between usability and security is achieved. Taking the right measures to keep ePHI data secure shouldn’t be a matter of meeting compliance only. It should also be a matter of safeguarding the integrity of your patients and your organization at large. 

Write a Comment

Your email address will not be published. Required fields are marked *