Most healthcare organizations today use mobile devices including laptop computers, tablets, mobile phones and portable storage devices to boost productivity. However, this introduces risks that could result in data breaches and exposure of protected health information (PHI). So as a HIPAA-covered entity, it is necessary to reduce mobile device security risks to an acceptable level.
The data breach reports submitted by covered entities to the Department of Health and Human Services’ Office for Civil Rights indicate that there were a handful of data breaches that involved mobile devices. From January 2015 to October 2017, 71 data breaches had mobile devices involved exposing the records of 1,303,760 patients. Out of the 17 breaches that exposed over 10,000 records, the largest had 697, 800 records exposed.
The HIPAA Security rule does not require encryption for mobile devices. If only this security measure was put into effect, many of those 71 breaches could have easily been avoided. The HIPAA Breach Notification Rule requires a breach report when mobile devices containing ePHI are lost or stolen. The affected individuals should also receive notification about the breach. However, if the lost or stolen mobile devices contained encrypted ePHI, the incidents are not considered HIPAA data breaches. No breach report and patient notifications will be necessary unless the key to decrypt data were also obtained. Since HIPAA does not demand encryption of ePHI on mobile devices, an alternative safeguard should be considered to protect the confidentiality and integrity of ePHI.
In the October 2017 issue of Cybersecurity Newsletter, OCR emphasized the risk of using mobile devices for creating, receiving, storing or transmitting ePHI. An organization-wide risk analysis is recommended for HIPAA covered entities to develop a risk management plan covering security risks on mobile devices. The risks of using these gadgets should be assessed and reduced to an acceptable level. OCR also gave the following reminders associated with the use of mobile devices:
- All staff must know and follow the policies of covered entities regarding the use of mobile devices. Some entities actually prohibit using mobile devices to create, receive, maintain or transmit ePHI.
- The risk associated with mobile devices is not limited to the loss or theft of the devices. There are also risks in accessing or sending ePHI over unsecured Wi-Fi networks, accessing or sharing ePHI via file sharing apps, or viewing ePHI stored in the cloud.
- Covered entities must make sure to change default settings on mobile devices and healthcare employees must be taught the best practices in using the devices.