What are the HIPAA Requirements for Mobile Devices?
Healthcare organizations and other HIPAA-covered entities have embraced mobile technology and are permitting the use of smartphones, tablets and other portable devices in hospitals, clinics and other workplaces; however, if the HIPAA requirements for mobile devices are not met, heavy HIPAA fines can follow.
The Healthcare Industry and Mobile Devices
Many healthcare groups choose to take advantage of mobile devices as they can help to reduce healthcare costs by the improvements they make to efficiency. Bring Your Own Device (BYOD) schemes are implemented that permit physicians, nurses and other healthcare workers to bring their own personal devices and use them at work. This means that the benefits of the devices can be gained, without the cost of having to purchase new devices for employees. Other choose to supply mobile healthcare technology to the staff; finding it easier to maintain control and secure the devices and the network to which they connect.
Any HIPAA covered entity that decides to use mobile devices in the workplace must put in place a number of security controls to keep safe any patient health data that is accessed through the devices or stored on them secure. Safeguards must also be implemented to control the actions that can be performed on those devices when they connect to healthcare networks.
Mobile Devices can be a Possible Minefield of HIPAA Violations
While mobile healthcare devices are undoubtedly useful, they are not without their dangers. With hundreds or thousands of mobile devices now needing access to a healthcare network, mobile data security and HIPAA compliance have become two of the biggest issues for CIOs, CISOs, Compliance Officers and health IT professionals.
Even if mobile devices are safe, there is huge potential for the users of those devices to breach HIPAA rules or company policies. Without proper controls, devices could be compromised, and the electronic Protected Health Information (ePHI) stored on them accessed by unauthorized individuals. There is also serious potential for smartphones, tablets and laptops to be targeted by cybercriminals, as they can be an easy way to gain access to healthcare networks as they typically lack the robust security controls of devices such as desktop computers.
Being portable, mobile devices can be used to access healthcare networks off site via public Wi-Fi hotspots where communications could be intercepted. There is considerable potential for theft or loss of the devices. If patient privacy violations and HIPAA penalties are to be prevented, it is vital that mobile data security risks are thoroughly assessed and addressed.
HIPAA Compliance Basics for Mobile Data Security
One of the main focuses of HIPAA legislation is to safeguard the privacy of patients and health plan subscribers. HIPAA regulations force healthcare systems and other providers to adopt a standards to protect the privacy of patients and keep data safe.
Mobile data security and HIPAA compliance are not optional: Failure to comply with HIPAA regulations can attract significant financial penalties. Fines as high as $1.5 million – per violation category, per year that the violation has persisted – can be issued by the Department of Health and Human Services’ Office for Civil Rights. Other federal agencies can issue financial penalties, as can state attorneys general. In addition, when a breach occurs, the cost of a breach response can reach millions of dollars.
Risk Analyses and the HIPAA Security Rule:
One of the most basic and important elements of mobile data security is the risk analysis: A fundamental requirement of the HIPAA Security Rule. It is possible to put in place robust security defenses by incorporating all of the standard defense measures: Firewalls, anti-virus protection, anti-malware programs, authentication and password controls etc. However, without a full risk analysis being conducted, it is not possible to know whether security weaknesses remain.
A risk analysis must include the complete IT infrastructure; company policies; administrative procedures; physical security controls, and all systems and equipment capable of creating, storing, sending, or touching ePHI. The HHS offers a risk assessment tool to help with this.
As hackers identify new ways to attack networks and mobile devices to obtain data, healthcare groups must work at maintaining and enhancing security defenses. They must tackle new vulnerabilities that are inadvertently introduced, or are introduced over time as equipment and software ages and reaches end of life. Risk assessments must, naturally, be conducted regularly to ensure these new risks are identified and addresses.
Technical Safeguards for Mobile Devices and the HIPAA Security Rule
According to the HHS HIPAA Security Series Guidelines, covered entities “must consider the use of encryption for transmitting ePHI, particularly over the Internet.”
HIPAA-covered entities must additionally “Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.”
It is not obligatory to encrypt data at rest; however, covered entities should consider the advice given in the HHS Security Series guidelines in relation to data in motion, “As business practices and technology change, situations may arise where ePHI being transmitted from a covered entity would be at significant risk of being accessed by unauthorized entities.”
The HHS Guidelines continue, “Where [a] risk analysis shows such risk to be significant, a covered entity must encrypt those transmissions under the addressable implementation specification for encryption.”
If covered entities permit the sending of ePHI over an open network, such as though SMS messages, this would breach HIPAA rules. The SMS network is far from secure, and the possibility of ePHI being intercepted is high. To prevent a HIPAA violation and lessen the probability of a data breach, ePHI should only be sent via a secure channel with end-to-end encryption.
Mobile Devices: Data Access, Integrity and Audit Controls
HIPAA mandates covered entities “to implement technical policies and procedures that allow only authorized persons to access Protected Health Information.” If mobile devices are used to access, save, or send ePHI, they must have access controls in place to validate the user. Multi-layered security measures should be put in place to reduce the risk of unauthorized data access.
Any data saved on a mobile device – or sent using it – must have security protections in place to ensure the data cannot be altered or destroyed, and controls must be put in place to permit devices to be audited. It must be possible to review access to ePHI (and attempted access), and any other activity on the device that has potential to affect data security.
Once the appropriate security controls are established, the use of mobile devices in the healthcare sector has huge potential to increase efficiency, productivity, lessen operational costs, as well as improve patient outcomes. The solution is to ensure mobile devices do not endanger patient privacy or provide unauthorized people with an easy access to healthcare data or healthcare networks.
Mobile Devices and HIPAA: FAQ
Can BYOD schemes be HIPAA compliant?
Yes, if implemented correctly, bring your own device (BYOD) schemes can be HIPAA compliant. However, care must be taken to ensure that employees are trained in the HIPAA compliant use of these devices, and adequate software has been installed to ensure data remains encrypted and inaccessible to unauthorized individuals.
Is encryption necessary?
The HIPAA Security Rule defines encryption as an “addressable” requirement. This does not mean that it is optional; rather, it means that encryption is necessary unless an equally good alternative is in place. If PHI is transmitted over an open network, this would be considered a HIPAA violation as PHI in transit must be adequately protected. Therefore, only secure channels with end-to-end encryption should be used to prevent interception of the PHI. Though it is not necessary to encrypt data “at rest”, CEs should still consider implementing some security measures on mobile devices.
What happens if a device is lost or stolen?
Lost or stolen devices can lead to HIPAA violation if the PHI is then accessed by unauthorized individuals. It is hard to absolutely protect against theft or loss of devices, but measures can be put in place to ensure that if such an event occurred, it would not necessarily lead to a data breach. For example, encrypting data can protect against unauthorized exposure. Devices can also be fitted with systems that allow the remote erasure of data, so if a loss does occur, any PHI can be removed from the device.
Can employees connect to public Wi-Fi on their mobile devices?
Public Wi-Fi Networks should be avoided at all costs. Using public networks leaves devices vulnerable to device hijacking, allowing data thieves access to PHI. If necessary, VPNs should be used to protect devices.
How common are data breaches involving mobile devices?
In the first six months of 2015 alone, breaches involving mobile devices exposed over 270,000 PHI records. This represents nearly a quarter of all records that were exposed over that period. Mobile devices, therefore, represent a major security threat to CEs.