What are the HIPAA requirements for mobile devices?

Mobile Device

Healthcare organizations and other HIPAA-covered bodies have embraced the evolution of mobile technology, and are permitting the use of Smartphones, tablets and other portable devices in hospitals, clinics and other workplaces; however, the HIPAA requirements for mobile devices are not met, heavy HIPAA fines can follow.

The Healthcare Industry and Mobile Devices

Many healthcare groups choose to take advantage of mobile devices, while keeping costs low. Bring Your Own Device (BYOD) schemes are implemented that permit physicians, nurses and other healthcare workers to bring their own personal devices and use them at work. Other choose to supply mobile healthcare technology to the staff; finding it easier to maintain control and secure their networks.

Any HIPAA covered entity that decides to use mobile devices in the workplace must put in place a number of security controls to keep safe any patient health data that is accessed through the device, stored on it, or shared by it.

Mobile Devices can be a Possible Minefield of HIPAA Violations

Sadly, while mobile healthcare devices are useful, they are not without their dangers. With hundreds or thousands of mobile devices now needing access to a healthcare network, it is not shocking that mobile data security and HIPAA compliance have become two of the biggest issues for CIOs, CISOs, Compliance Officers and health IT professionals.

Even if mobile devices are safe, there is huge potential for the users of those devices to breach HIPAA rules or company policies. Without proper controls, devices could be compromised, and the electronic Protected Health Information (ePHI) stored on them accessed. There is also serious potential for Smartphones, tablets and laptops to be targeted by cybercriminals, who view them as an accessible entry point into healthcare networks.

Mobile healthcare devices often do not have robust security controls, the devices are used to join networks via public Wi-Fi, and there is considerable possibility for theft or loss. If patient privacy violations and HIPAA penalties are to be prevented, it is vital that mobile data security risks are thoroughly reviewed and addressed.

HIPAA Compliance Basics for Mobile Data Security

One of the main focuses of HIPAA legislation is to safeguard the privacy of patients and health plan subscribers. HIPAA regulations force healthcare groups and individual care suppliers to adopt a minimum set of standards to protect the privacy of patients and keep data safe.

Robust mobile data security and HIPAA compliance are not optional: Failure to adhere with HIPAA regulations is likely to be expensive. Fines as high as $1.5 million – per violation category, per year that the violation has persisted – can be applied by the Department of Health and Human Services’ Office for Civil Rights. Other federal agencies can issue financial penalties fines, as can state attorneys general. There is also the huge possible cost of a breach response to cover if information is potentially exposed.

Risk Assessments and the HIPAA Security Rule:

One of the most basic and pivotal elements of mobile data security is risk assessment, a mandatory necessity under the HIPAA Security Rule. It is possible to put in place robust security defenses by incorporating all of the standard defense measures: Firewalls, anti-virus protection, anti-malware programs, authentication and password controls etc. However without a full risk assessment being conducted, it is not possible to know whether security weaknesses remain.

A risk assessment must include the complete IT infrastructure; company policies; administrative procedures; physical security controls, and all systems and equipment capable of holding, sending or touching ePHI. The HHS offers a risk assessment tool to help with this.

As hackers identify new ways to attack networks and mobile devices to obtain data, healthcare groups must work at maintaining and enhancing security defenses. They must tackle new vulnerabilities that are inadvertently introduced, or happen over time as equipment and software grows old. Risk assessments must, naturally, be conducted constantly.

Technical Safeguards for Mobile Devices and the HIPAA Security Rule

According to the HHS’ HIPAA Security Series Guidelines, covered bodies are informed that they “must consider the use of encryption for transmitting ePHI, particularly over the Internet.”

HIPAA-covered bodies must additionally “Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.”

It is not obligatory to encrypt data at rest; however covered bodies should consider the advice given in the HHS Security guidelines in relation to data in motion, “As business practices and technology change, situations may arise where ePHI being transmitted from a covered entity would be at significant risk of being accessed by unauthorized entities.”

The HHS Guidelines continue, “Where risk analysis shows such risk to be significant, a covered entity must encrypt those transmissions under the addressable implementation specification for encryption.”

If covered bodies permit the sending of ePHI over an open network, such as though SMS messages, this would breach HIPAA rules. The SMS network is far from secure, and the possibility of ePHI being intercepted is high. To prevent a HIPAA violation and lessen the probability of a data breach being incurred, ePHI should only be sent via a secure channel with end-to-end encryption.

Mobile Devices: Data Access, Integrity and Audit Controls

HIPAA mandates covered bodies “to implement technical policies and procedures that allow only authorized persons to access Protected Health Information.” If mobile devices are used to access, save or send ePHI, they must have access controls in place to validate the user. Multi-layered security measures should be put in place to reduce the risk of unauthorized data access.

Any data save on a mobile device – or sent by it – must have security protections in place to ensure the data cannot be amended or destroyed, and controls must be put in place to permit devices to be audited. It must be possible to review access to ePHI (and attempted access efforts), and any other activity enacted on the device that has potential to affect data security.

Once the appropriate security controls are established, the use of mobile devices in the healthcare sector has huge potential to increase efficiency, productivity, lessen operational costs, as well as better patient outcomes. The solution is to ensure the mobile devices do not place patient privacy in danger or provide unauthorized people with an easy access point into the network.