Healthcare providers and HIPAA-covered entities have been caught up in the mobile technology movement. Many clinics and hospitals now provide their staff with smartphones, tablets and portable devices for work or allow the use of portable devices with a BYOD policy. However, if mobile data security controls are insufficient, covered entities are at risk of a HIPAA violation. If that happens, regulators can issue substantial fines.
Mobile Devices and the Healthcare Industry
A lot of healthcare companies opt to take advantage of the positive features of mobile devices yet make significant savings on costs through a Bring Your Own Device (BYOD) scheme. Physicians, nurses and other healthcare employees are allowed to carry their own personal devices such as smartphones and tablets and use them for work purposes. Some organizations provide mobile devices to employees. While this comes at a cost, it does allow them to exercise greater control over security.
HIPAA covered entities that make a decision to use mobile devices at work need to put in place several controls to secure patient health data that is accessed on a device, saved on it, or transmitted using it.
Mobile Devices can Potentially Be a Minefield of HIPAA Violations
Sadly, though mobile devices are practical to use, they come with risks and since those mobile devices are used to access healthcare networks, CISOs, CIOs, compliance officers and health IT experts are concerned about mobile data security and HIPAA compliance.
Even if mobile devices are properly secured, there is a possibility that users could end up violating HIPAA Rules or their organization’s internal policies. Without sufficient controls, the electronic Protected Health Information (ePHI) stored on the devices could be exposed. Cybercriminals could even target smartphones, tablets and laptop computers and use them to access healthcare networks.
Strong security controls can be set on mobile devices, but all too often they are not. Further, when they are used to access networks through public Wi-Fi networks, the potential for data theft is considerable. To avoid breach of patient privacy and a HIPAA penalty, it is important to completely assess mobile data security risks and reduce them to a reasonable and appropriate level.
Mobile Data Security and Basic HIPAA Compliance
One of the primary goals of HIPAA is to ensure that the personal information of patients and health plan members is protected. HIPAA Rules push healthcare institutions and private health care providers to adopt standards to ensure the confidentiality, integrity, and availability of healthcare data.
Effective mobile data security and compliance with HIPAA are mandatory: Failing to comply may have very costly consequences. The Department of Health and Human Services’ Office for Civil Rights can issue penalties as high as $1.5 million per violation category per year. Other federal agencies and state attorneys general can also issue penalties.
The HIPAA Security Rule and Risk Analyses
A risk analysis is a fundamental component of mobile data security and is a compulsory requirement of the HIPAA Security Rule. By conducting a risk analysis, HIPAA-covered entities can identify all risks associated with the devices and take steps to reduce those risks to a reasonable and appropriate level. To develop strong security defenses, the following standard defense measures may be adopted: anti-virus software, firewalls, anti-malware solutions, multi-factor authentication, and password controls, but until the organization conducts a full risk analysis, it will not be possible to tell whether any risks remain and if the above controls are sufficient to reduce risk to an appropriate level.
A risk analysis should cover the entire IT structure; organization policies; administrative procedures; physical security settings, and all systems and equipment that store, transmit or process ePHI. The HHS has developed a risk assessment tool to help healthcare organizations with this vital element of HIPAA compliance.
As cyber criminals find new ways to attack systems, including mobile devices, healthcare institutions need continue monitoring and improving their security defenses. New vulnerabilities can appear over time, so in order to ensure that they are identified and addresses, risk analyses should be conducted on a regular basis.
The HIPAA Security Rule and Technical Safety Measures for Mobile Devices
The HHS’ HIPAA Security Series Guidelines advise covered entities to consider using encryption when sending ePHI, especially over the internet. HIPAA-covered entities should likewise employ technical security measures to prevent unauthorized access of ePHI being when it is sent via any digital communications network.
Encryption of data at rest is not required, but with data in motion, encryption is recommended as there is a higher risk of ePHI being intercepted and viewed by unauthorized individuals.
The transmission of ePHI through an open network, for example via SMS messages, is a violation of HIPAA Rules. The SMS network is not safe, and ePHI has a high probability of being intercepted. To prevent a HIPAA violation and minimize the possibility of a data breach, ePHI must only be sent via a protected channel with end to end encryption – a secure, encrypted messaging platform for example.
Data Access, Integrity and Audit Controls for Mobile Devices
Under HIPAA, covered entities should implement technical controls to prevent the unauthorized accessing of ePHI. When using mobile devices to access, store or transmit ePHI, access controls should include user authentication. Using multi-layered security settings decreases the risk of unauthorized access of data.
A mobile device should have controls in place to be prevent alteration or destruction of data. There must also be audit controls as it must be possible to check ePHI access logs and other activities that could potentially affect data security.
As long as there are proper security controls, mobile devices may be used in healthcare to improve efficiency, lower operational expenses and improve patient care.