Healthcare organizations need to address the security risks associated with the use of mobile devices and reduce them to a reasonable and acceptable level. Here is a list of good advice from the HHS’ Office for Civil Rights:
1. When using mobile devices in the workplace to create, receive, maintain and transmit ePHI, be sure to implement the appropriate policies and procedures.
2. Secure mobile devices using a Mobile Device Management (MDM) software.
3. Implement an authentication step to use or unlock mobile devices.
4. Install automatic lock or logoff functionality.
5. Don’t forget to install security patches and updates.
6. Use a privacy screen so people close by cannot read the information on your screen.
7. Use a secure Virtual Private Network (VPN) and secure Wi-Fi connections.
8. Install security features such as encryption, anti-malware or anti-virus software and remote wipe capabilities.
9. Use whitelisting to permit installation of approved apps only. Third-party apps should not be allowed to be downloaded.
10. All PHI stored on a mobile device must be securely deleted before discarding or reusing the device.
11. All the workforce must be included in the training programs on how to securely use mobile devices.
Over the past few years, the OCR has been penalizing non-compliance with HIPAA Rules strictly. Several HIPAA covered entities had to pay a settlement amount for their failure to address mobile device security risks resulting in a data breach. Children’s Medical Center of Dallas paid $3.2 million in penalty due to theft of unencrypted data impacting 6,262 individuals. Oregon Health & Science University paid $2.7 million for loss of unencrypted laptop and use of cloud storage without a Business Associate Agreement impacting 4,361 individuals. Cardionet paid $2.5 million for theft of an unencrypted laptop computer impacting 1,391 individuals. Catholic Health Care Services of the Archdiocese of Philadelphia paid $650,000 for theft of a mobile device that impacted 412 individuals.