How Can HIPAA-Covered Entities Lower the Security Risks of Mobile Device Usage?
Healthcare organizations need to address the security risks associated with the use of mobile devices and reduce them to a reasonable and acceptable level. Here is a list of good advice from the HHSโ Office for Civil Rights:
1.ย ย ย ย ย ย When using mobile devices in the workplace to create, receive, maintain and transmit ePHI, be sure to implement the appropriate policies and procedures.
2.ย ย ย ย ย ย Secure mobile devices using a Mobile Device Management (MDM) software.
3.ย ย ย ย ย ย Implement an authentication step to use or unlock mobile devices.
4.ย ย ย ย ย ย Install automatic lock or logoff functionality.
5.ย ย ย ย ย ย Donโt forget to install security patches and updates.
6.ย ย ย ย ย ย Use a privacy screen so people close by cannot read the information on your screen.
7.ย ย ย ย ย ย Use a secure Virtual Private Network (VPN) and secure Wi-Fi connections.
8.ย ย ย ย ย ย Install security features such as encryption, anti-malware or anti-virus software and remote wipe capabilities.
9.ย ย ย ย ย ย Use whitelisting to permit installation of approved apps only. Third-party apps should not be allowed to be downloaded.
10.ย ย All PHI stored on a mobile device must be securely deleted before discarding or reusing the device.
11.ย ย All the workforce must be included in the HIPAA training programs on how to securely use mobile devices.
Over the past few years, the OCR has been penalizing non-compliance with HIPAA Rules strictly. Several HIPAA covered entities had to pay a settlement amount for their failure to address mobile device security risks resulting in a data breach. Childrenโs Medical Center of Dallas paid $3.2 million in penalty due to theft of unencrypted data impacting 6,262 individuals. Oregon Health & Science University paid $2.7 million for loss of unencrypted laptop and use of cloud storage without a Business Associate Agreement impacting 4,361 individuals. Cardionet paid $2.5 million for theft of an unencrypted laptop computer impacting 1,391 individuals. Catholic Health Care Services of the Archdiocese of Philadelphia paid $650,000 for theft of a mobile device that impacted 412 individuals.