The convenience of mobile devices has revolutionized healthcare. Improvements in efficiency and enhanced patient satisfaction are changing the dynamics of an industry traditionally slow to embrace modern technology. Yet these benefits come with significant risk.Recent research from Verizon indicates multiple industries are increasingly concerned about potential security threats arising from mobile device management. Thirty-five percent of healthcare industry respondents to the survey indicated they experienced downtime and data loss due to a mobile device security incident, and 22% identified a major security breach with long-term fallout.
Hospitals must identify how, when, who, and where mobile devices are used and implement a HIPAA-compliant policy to address the way their patient’s e-PHI (electronic protected health information) is used.
e-PHI & HIPAA
To address the larger issue with keeping e-PHI protected on a mobile device, healthcare providers must look at the way sensitive data is shared and stored in their organization.
The agency in charge of enforcing HIPAA Security and Privacy rules, the Office for Civil Rights (OCR) in the U.S. Department of Health and Human Services, takes lack of security of mobile devices seriously. In February, 2017, the OCR announced a civil money penalty of $3.2 million against Children’s Medical Center of Dallas based on impermissible disclosure of unsecured e-PHI and non-compliance with many standards of the HIPAA Security Rule. The OCR found a breach of over 6200 individual patient records stored on unsecured mobile devices. The finding stems from a breach report from the hospital in 2010 when it reported the loss of an unencrypted, non-password protected Blackberry.
Mobile Device Risk
The very nature of a mobile device makes it a risky way to handle PHI. It’s handheld, and mobile, easily stashed in a coat pocket, easily handed off to other users. Risks that translate into e-PHI breaches include:
- Stolen Devices
- Unsecured Devices
- Insecure Apps
- Weak Passwords
- Sharing Devices with Friends and Family
- Unsecure Wi-fi
- Insufficient Bring-Your-Own-Device (BYOD) procedures
Predictions for 2018
Adding to the complexity of mobile device use in the healthcare industry is the high number of devices being used. ReferralMD reported in 2015 that 80% of physicians use smart phones and apps. That number is sure to have grown since 2015. And with more use comes more threats to security.
Predictions for medical device security in 2018 include: increased attacks with the aim of extortion, malicious disruption, increases in extortion threats, more opportunities for criminal access to PHI as more devices go online, an increase in disruptive attacks in the form of denial of service or destroyed data will be an increasing threat, “wearables,” such as insulin pumps and pacemakers will be more vulnerable to attack, and connected technology for artificial limbs and implants will offer additional opportunities for cyber criminals.
Safeguarding Your Organization
HIPAA requires Risk Assessment and a complete one includes a review of IT infrastructure, company policies, administrative procedures, physical security controls, and all systems and equipment capable of holding, sending, or touching e-PHI.
The HIPAA Security Rule allows electronic communication but requires covered entities to apply reasonable safeguards to protect e-PHI. Policies should ensure the integrity of e-PHI is not violated and the Security Rule has specific advice for how to implement adequate safeguards. Typical safeguard steps include but are not limited to:
Determine mobile device use in your organization, including the use of personal devices and whether encryption, authentication, and physical protections are in place to secure e-PHI. Establish an electronic protocol to ensure e-PHI is not altered or destroyed by unauthorized users. Establish security breach protocols for protection of e-PHI for mobile device use. Educate staff on authorized access to PHI on an electric device and educate them on the risk of data breaches.
Keep a tight inventory of mobile devices used in your organization. Store all mobile devices in a secure location when not in use. Install radio frequency identification, RFID, on mobile devices to locate lost or stolen devices. Use remote shut-down tools to remotely lock down a missing device.
Update anti-malicious software on all devices, install firewalls when applicable, and encrypt all patient PHI. Use IT backup such as off-site data centers and cloud technology to provide redundancy and access to PHI. Use biometric authentication tools, ensure mobile devices use secure encryption hypertext transfer protocol secure, HTTP, to provide encrypted communication and identification of a network server. Encrypted data is useless to hackers, even if it is hijacked by hackers.
The key to successful implementation of secure mobile device use in your hospital is frequent employee training on proper electronic security procedures. It’s not enough to inform them of a policy manual; employees should undergo interactive security training upon hiring/orientation and then annually.
At a bare minimum, employees should understand basic mobile device security:
- Authorized Devices
Bring Your Own Device, BYOD, is a practice that is growing in acceptance, but one that healthcare organizations must review very carefully. The risks associated with BYOD can be costly as these devices often fall outside of the normal use of a facility-owned device.
- Operating System & App Updates
Set clear rules for staying current on operating system updates and updates for approved apps. Mobile devices require patches and updates to just like computers.
Establish guidelines for wi-fi connections, never allowing unsecured connections. Set protocol for connecting a mobile device to another device. Plugging a smart phone into a home computer on an unsecured network can allow hackers to tap PHI. Connect to your EHR via VPN or two-factor authentication.
Use discretion when allowing downloads. Legitimate-looking apps can harbor malware that can cause a data breach.
Demand password, PIN, and biometric authentication on every mobile device.
- Text and Email/Voicemail Use
Warn employees that hackers will try to steal PHI in any way they can. Train them to be suspicious of every contact and confirm it’s legitimate before sharing PHI. If in doubt, advise them to contact the requester directly via a company phone and to never release social security data or credit card information via a text or an un-encrypted email.
Cybersecurity is the first line of defense in the protection of protected health information. As technology advances so will change, and with it, smarter, faster, and more convenient delivery of patient care. Staying current with your hospital’s management of e-PHI will keep patients, employees, and administration compliant and safe.