Keeping PHI secure on a mobile device

HIPAA rules mandate that healthcare organizations and other covered entities (including Business Associates / BAs) must protect the privacy of the their patients’ PHI (Protected Health Information) at all times. In order to achieve this, covered entities must adhere to HIPAA’s Privacy and Technical rules.

The HIPAA Privacy Rule: “requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.”  – www.hhs.gov

The HIPAA Security Rule: “establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.” – www.hhs.gov

The rules are clear, but HIPAA compliance is anything but simple. The Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data by Ponemon reveals that the majority of healthcare organizations have experienced multiple data breaches, and that most lack the necessary funds and resources to manage the threats threats effectively, be it stopping preventable internal errors, cyber attacks, or other external dangers.

While external threats still dominate, internal problems are a growing problem. In fact, 36% of healthcare organizations and 55% of BAs named unintentional employee action as a breach cause. The study also revealed that healthcare organizations are significantly concerned about mobile device insecurity, BYOD (Bring Your Own Device), and the security of mobile apps.

With mobile devices now commonplace in most healthcare organizations, the risk of PHI becoming compromised is increased. Therefore, covered entities must ensure employees are taking the necessary actions to protect PHI on their mobile devices, starting with the following:

  • Put devices on lockdown: Encourage employees to use strong passwords (and to update them regularly) as way of authentication, and ensure auto-lock is enabled after periods of device inactivity, to minimise the risk of an unauthorized users gaining access to the device if lost, stolen, or left unattended.
  • Check apps before allowing download: Even legitimate looking mobile applications could become a threat if carrying malicious malware, for example. The solution: always check the validity of applications before allowing employees to download them.
  • Put a stop to email: Email is inherently insecure, due to the potential for human error; sending an email to the wrong recipient, for example, is an increased risk on a mobile device, when screens are small and time is of the essence. Email account password management can also be a problem, as many fail to follow best practice when setting passwords that they believe to be secure. To avoid putting patient’s PHI at risk, organizations should avoid using email when exchanging patient information, and instead opt for an alternative HIPAA-secure solution, such as a secure fax platform or a purpose-built mobile messaging application.
  • Avoid unsecured networks: Public Wi-Fi networks can provide an easy way for unauthorized users to access and intercept information, so it is crucial to educate employees on the dangers of browsing the web or using applications whilst out and about. As a precaution, users should be encouraged to change the settings on their device to ask permission before automatically joining any unrecognised networks.

Mobile devices offer healthcare professionals a convenient way of communicating with colleagues and patients, but this convenience should not be at the expense of security. Loss and theft of mobile devices is a major threat in the healthcare industry, so the onus is on organizational leaders to ensure employees are doing everything they can to keep their devices – and PHI – safe and secure.