HIPAA Security & Mobile Devices
Do you need to comply with Health Insurance Portability and Accountability Act of 1996 (HIPAA) security rules if you’re using mobile devices? If you have a smartphone, laptop or tablet computer and are working at a health care covered entity or business associate, you most likely do.
Mobile devices can be used in various ways, and risks can vary widely. You should first identify the scope and scale of how mobile devices are used in your organization.
Scope & Environment
- Who owns the mobile devices?
Organizations may own and control devices, or they may allow users to bring personal devices to use at work. The latter is known as bring your own device (BYOD). Regardless of who owns the device, the organization needs policies, tools and controls to protect any electronic protected health information (ePHI) that the devices may store or access. There should be controls to remove access to sensitive data, e.g., removing data from devices and receiving organization-owned devices back into inventory upon employment termination or other significant changes in duties.
- Does your organization maintain an accurate inventory of devices and their characteristics?
An inventory of owned—or BYOD devices approved for work use—should include at least:
- Laptops, notebooks and netbooks
- Portable digital assistants
- Portable Universal Serial Bus devices for storage, i.e., thumb drives, and devices for connectivity (Wi-Fi and modem cards)
- Digital cameras
- Where will the devices be used?
Some mobile devices are designed for use in health care clinical or administrative settings, including point-of-care interfaces to electronic health record systems or patient appointment and registration devices in admissions. Mobile devices also can include general-purpose devices, e.g., personal smartphones and tablet computers, that may access applications and email servers that could contain ePHI. Where these devices can be used and access ePHI will significantly affect the security risks and related controls.
- Will the device use, or require the use of, a wireless network?
If the devices can connect, or require connection to the organization’s Wi-Fi networks, it’s vital to have appropriate network protections. Additional security-related questions include:
- Are the various Wi-Fi networks appropriately segmented, e.g., guest, associate, medical devices, etc.?
- Are your Wi-Fi routers set up to support the latest wireless security protocols, ideally Wi-Fi Protected Access 2 or other protocols that align with IEEE 802.11 standards?
- Are there user authentication controls and strong passwords to restrict access to networks?
- Will ePHI be remotely accessed and communicated?
- Does your organization require a virtual private network (VPN) or other secured method to access and transmit sensitive data?
- What are the policies regarding text messages? Most text messaging applications aren’t secure, and the telecommunications provider may store this information.
After these initial questions or guidelines are reviewed, educate yourself and your organization on the risk associated with mobile devices. Here’s a good start:
- Understand what makes mobile devices vulnerable to attack. The U.S. Government Accountability Office has published a report to Congress called Information Security: Better Implementation of Controls for Mobile Devices Should Be Encouraged. This document describes four sources of mobile device attacks. Understanding what activities put mobile devices at risk is essential to your organization’s policies.
- Understand other threats and risks, including cybercriminals, hackers, lost devices, shoulder surfing in public places, inadvertent malware, etc. For each identified vulnerability and threat, your organization will need to design the appropriate administrative and technical controls to mitigate the risk.
- Visit HealthIT.gov to learn more about mobile device privacy and security in health care.
In the past two years, the Office for Civil Rights has documented more than 30 HIPAA-breach notifications involving laptops or phones. Many of these instances have led to fines and other actions against health care entities. While mobile devices may make work more efficient and provide valuable services to patients and customers, health care professionals should keep information security at the forefront. Mobile devices will continue to be misplaced, lost or stolen, but organizations and users can take actions to minimize ePHI exposure risks.