Secure mobile devices for HIPAA compliance
Patient data is in jeopardy when mobile devices aren't secure. Mobile devices aren’t just for personal use anymore; both company-issued and personal devices are used at the enterprise level to conduct company business in all sectors–healthcare included. A person would be hard pressed not to find smartphones, tablets, and laptops in every healthcare facility in the nation.
I am regularly asked if HIPAA permits the use of mobile devices in a working healthcare setting. The Department of Health and Human Services (HHS), in FAQ 2801, states that mobile devices can be used, “as long as appropriate physical, administrative, and technical safeguards are in place to protect the confidentiality, integrity, and availability of the ePHI.”
Here are the steps you can take to use mobile devices at your healthcare practice in a HIPAA-compliant manner:
Define your mobile device policy
Before we get to the steps you can take to secure mobile devices, let’s discuss the policy behind mobile device use in your organization. This should be a conscious decision that is well documented and included in your risk assessment. Ask the following questions:
- Can we restrict access to ePHI to a small subset of mobile devices?
- What are the risks associated with using mobile devices in our organization?
- Do we have a mobile device usage policy in place and are we following it?
- Are workforce members trained to securely use mobile devices?
Make sure you address the question of workforce members using their personal mobile devices to access ePHI. With their associated higher risks, you must be prepared to implement adequate security measures related to personal mobile devices.
How to secure your mobile device
Once your policies have been defined, any mobile devices used to access ePHI must be secured. The Office of the National Coordinator for Health Information Technology (ONC) offers excellent advice for securing mobile devices on the HealthIT.gov site. I’ll list their main points here and expand on them with practical details.
Step 1: Use a password or other user authentication
Passwords, pin codes, fingerprints, facial recognition--there are many ways to secure a mobile device. It’s important not to leave a mobile device open for anyone to use it because mobile devices are relatively easy to steal. You want to make sure that if a device walks away, it can’t be accessed.
Step 2: Install and enable encryption
A password alone won’t protect information on a mobile device if that device is in the hands of someone with the right tools and knowledge set. Encryption will ensure that even if a malicious actor accesses a mobile device, they won’t be able to use ePHI stored on the device.
Step 3: Install and activate remote wiping and/or remote disabling
Expect that mobile devices will be stolen or lost. As careful as their users might be, the highly portable nature of mobile devices means that theft or loss is very difficult to avoid. Remote wiping, disabling, or both can offer peace of mind if the worst happens.
Step 4: Disable and do not install or use file sharing applications
File sharing applications open up mobile devices to attack by malicious software. They can also offer malicious users a way to access your mobile device without authorization.
Step 5: Install and enable a firewall
Personal firewalls on mobile devices can restrict malicious traffic, but only if they are configured properly. As you install and enable security controls, take the time to understand what protections are offered by various configuration settings.
Step 6: Install and enable security software
Security software typically protects against various types of malware, such as viruses and ransomware. Security software is available for all types of mobile devices, including smartphones.
Step 7: Keep your security software up to date
Security software needs to be kept up to date to stay ahead of the ever-evolving threat landscape. Likewise, security updates that are released for operating systems and other types of software are necessary because they are usually released to mitigate the risks associated with newly discovered vulnerabilities. Staying on top of security updates is my top priority for most organizations.
Step 8: Research mobile applications (apps) before downloading
Every application installed on a mobile device increases the potential for introducing vulnerabilities to that device. If an application isn’t required for an approved business function, it should not be installed. All applications should be approved before use.
Step 9: Maintain physical control
As mentioned earlier, mobile devices are prone to theft and loss. Include physical control concerns in your risk assessments so you can put security controls in place that mitigate physical security concerns in your organization. Make sure you train workforce members in proper physical security procedures.
Step 10: Use adequate security to send or receive health information over public Wi-Fi networks
Public Wi-Fi is notoriously vulnerable to attack. Consider restricting mobile devices for use only on secure Wi-Fi networks.
Step 11: Delete all stored health information before discarding or reusing the mobile device
Ideally, you should never store ePHI on mobile devices. There are many options for using mobile devices to access ePHI that is located on a secure server without having to download it to the device. However, if your organization’s policies allow ePHI to be downloaded onto mobile devices, you must have policies and procedures in place to securely delete that data at appropriate intervals and prior to discarding or reusing the device.
Keep in mind that security controls are better when they are centrally managed because you can ensure consistency and have a single place to evaluate devices for potential vulnerabilities.
NIST Guidelines for mobile devices
Once you have the basics in place, consider going further with your security controls. The National Institute of Standards and Technology (NIST) has released the following guidelines that can be used to secure patient information on mobile devices:
- NIST SP 1800-1 Securing Electronic Health Records on Mobile Devices
- NIST SP 800-124 r2 (Draft) Guidelines for Managing the Security of Mobile Devices in the Enterprise