Healthcare suppliers and other HIPAA-covered entities have embraced the mobile technology revolution, and are permitting the use of Smartphones, tablets and other portable devices in hospitals, clinics and other places of work; however, if mobile data security measures are insufficient, covered entities are in danger of breaching HIPAA regulations. If that occurs, heavy fines can be applied.
Mobile Devices and the Healthcare Sector
Many healthcare groups choose to leverage the benefits of mobile devices, while keeping costs low. Bring Your Own Device (BYOD) schemes are introduced that allow physicians, nurses and other healthcare workers to bring their own personal devices and use them at work. Other choose to supply mobile healthcare devices to the staff; deeming it easier to maintain control and protect their networks.
Any HIPAA covered entity that opts to use mobile devices in the workplace must put in place a range of controls to protect any patient health data that is accessed through the device, stored on it, or transmitted by it.
Mobile Devices are a Possible Minefield of HIPAA Fines
Sadly, while mobile healthcare devices are convenient, they are not without their dangers. With hundreds or thousands of mobile devices now requiring access to a healthcare organization, it is no surprise that mobile data security and HIPAA compliance have become two of the biggest concerns for CIOs, CISOs, Compliance Officers and health IT workers.
Even if mobile devices are protected, there is considerable potential for the users of those devices to breach HIPAA rules or company policies. Without adequate controls, devices could be compromised, and the electronic Protected Health Information (ePHI) saved on them exposed. There is also considerable potential for Smartphones, tablets and laptops to be attacked by cybercriminals, who view them as an easy entry point into healthcare networks.
Mobile healthcare devices often do not have robust security controls, the devices are used to link up with to networks via public Wi-Fi, and there is considerable potential for theft or loss. If patient privacy breaches and HIPAA penalties are to be avoided, it is vital that mobile data security risks are thoroughly assessed and addressed.
HIPAA Compliance Basics in Relation to Mobile Data Security
One of the main targets of HIPAA legislation is to protect the privacy of patients and health plan subscribers. HIPAA regulations force healthcare groups and individual care providers to adopt a minimum set of standards to protect the privacy of patients and keep data safe.
Robust mobile data security and HIPAA compliance are not optional: Failure to adhere with HIPAA regulations is likely to be expensive. Penalties of up to $1.5 million – per violation category, per year that the violation has been allowed to go on – can be issued by the Department of Health and Human Services’ Office for Civil Rights. Other federal agencies can apply fines, as can state attorneys general. There is also the massive cost of a breach response to cover if data is potentially exposed.
Risk Assessments & HIPAA Security Rule
One of the most basic elements of mobile data security is the risk assessment, a mandatory requirement under the HIPAA Security Rule. It is possible to create robust security defenses by incorporating all of the standard defense measures: Firewalls, anti-virus protection, anti-malware programs, authentication and password controls etc.; however unless a full risk assessment has been completed, it is impossible to know whether security flaws remain.
A risk assessment must cover the whole IT infrastructure; company policies; administrative processes; physical security measures, and all systems and equipment capable of storing, sending or touching ePHI. The HHS offers a risk assessment tool to help with this.
As hackers identify new ways to exploit networks and mobile devices to obtain data, healthcare groups must work at maintaining and enhancing security defenses. They must address new flaws that are inadvertently introduced, or develop over time as equipment and software ages. Risk assessments must therefore be carried out regularly.
Technical Safeguards for Mobile Devices & HIPAA Security Rule
In the HHS’ HIPAA Security Series Guidelines, covered entities are advised that they “must consider the use of encryption for transmitting ePHI, particularly over the Internet.”
HIPAA-covered groups must also “Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.”
It is not mandatory to encrypt data while stationary; however covered entities should remember the advice given in the HHS Security guidelines regarding data in motion: “As business practices and technology change, situations may arise where ePHI being transmitted from a covered entity would be at significant risk of being accessed by unauthorized entities.”
The HHS Guidelines adds: “Where risk analysis shows such risk to be significant, a covered entity must encrypt those transmissions under the addressable implementation specification for encryption.”
If covered entities allow the sharing of ePHI over an open network, such as via SMS messages, this would breach HIPAA rules. The SMS network is far from secure, and the potential for ePHI being intercepted is high. To prevent a HIPAA violation and reduce the probability of a data breach, ePHI should only be shared via a secure channel with end to end encryption.
Mobile Devices: Data Access, Integrity and Audit Controls
HIPAA obligates covered entities “to implement technical policies and procedures that allow only authorized persons to access Protected Health Information.” If mobile devices are used to access, store or share ePHI, they must have access controls in place to authenticate the user. Multi-layered security controls should be put in place to reduce the risk of unauthorized data access.
Any data held on a mobile device – or shared by it – must have protections in place to ensure the data cannot be altered or deleted, and controls must be put in place to allow devices to be audited. It must be possible to review access to ePHI (and attempted access attempts), and any other activity performed on the device that has potential to impact data security.
Provided the proper security controls are implemented, the use of mobile devices in healthcare has huge potential to enhance efficiency, productivity, reduce operational costs, as well as improve patient results. The key is to make sure the devices do not endanger patient privacy or provide criminals with an easy access point into the database.