HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Cybersecurity Best Practices for Travelling Healthcare Professionals

In its December cybersecurity newsletter, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) offered cybersecurity best practices for travelling healthcare professionals to help them prevent malware infections and the exposure of patients’ protected health information (PHI).

Many healthcare professionals will be travelling to see their families over the holidays and will be taking work-issued devices with them on their travels, which increases the risk to the confidentiality, integrity, and availability of PHI.

Using work-issued laptops, tablets, and mobile phones in the office or at home offers some protection from cyberattacks and malware infections. Using the devices to connect to the Internet at cafes, coffee shops, hotels, and other Wi-Fi access points increases the risk of a malware infection or man-in-the-middle attack. Even charging portable devices via public USB charging points at hotels and airports can see malware transferred.

Not only will malware and cyberattacks potentially result in data on the device being exposed, login credentials can be stolen leading to a substantial data breach, or malware can be transferred to your organization’s network when you return to work.

Ensure Travel is Covered in Your Risk Analysis

HIPAA-covered entities and business associates must conduct a risk analysis to identify all risks to the confidentiality, integrity, and availability of PHI. The risk analysis must include the risks when healthcare professionals travel, be it on holiday or for business trips. Vulnerabilities and risks identified by the risk assessment must then be managed and reduced to an acceptable and appropriate level through a HIPAA-compliant risk management process.

OCR’s Suggested Cybersecurity Best Practices for Travelling Healthcare Professionals

The following cybersecurity best practices for travelling healthcare professionals are particularly relevant during the holiday season, but apply whenever work-issued devices are removed from the protection of a secured network.

Healthcare organizations that permit healthcare employees to remove work-issued devices should incorporate these cybersecurity best practices into their training programs and ensure all healthcare employees are made aware of the additional risks when travelling and how they can manage those risks.

Leave Portable Devices at the Office or at Home

If you don’t really need to take a work-issued device with you, leave it at home or at the office and make sure it is secured.

Ensure Devices are Fully Patched

All portable devices should be kept patched and up to date, although this becomes even more important when travelling and connecting to public Wi-Fi hotspots. Software, mobile apps, and operating systems should be updated to the latest versions.

Secure the Devices Using Strong Passwords

All devices should be secured with strong passwords. OCR suggests passwords should be more than 10 characters and should include numbers, letters (upper and lower case) and symbols. Passphrases can be used as they are difficult to guess but easy to remember. Multi-factor authentication should also be used if possible.

Activate Additional Security Controls

Activate additional security controls such as fingerprint readers on mobile phones to prevent data and account access in the event of loss or theft. This can buy you more time to secure accounts and change passwords if your device is stolen.

Encrypt all Sensitive Data on Your Devices

OCR suggests laptop computers should have full disk encryption to ensure data cannot be accessed in the event of loss or theft, and to remove data from portable devices if it is not required.

Create Multiple Backups of Files

It is essential that data can be recovered in the event of loss or theft of a portable device or a ransomware attack. Multiple backups should ideally be created on another device with a copy also stored securely in the cloud.

Bring Portable Chargers, Power Cords and Adaptors

Connecting to public charging points in airports and hotels can easily introduce malware. Avoid USB charging points, and charge devices using a portable charging pack or by plugging into the mains supply. If charging ports must be used, only connect after devices have been powered down.

Avoid Public Wi-Fi Hotspots

Avoid all public Wi-Fi networks as they are unlikely to be secure. If you do need to connect to Wi-Fi when travelling, always connect to the Internet via a VPN.

Turn Off Auto Connect for Bluetooth and Wi-Fi

Ensure your portable devices do not automatically connect to Wi-Fi networks and turn off Bluetooth connectivity.

Use Different PIN Numbers

Always use a unique PIN number for each of your devices. Never reuse a PIN anywhere else, such as on the hotel safe.

Never Leave Devices Unprotected

If you cannot lock a portable electronic device in a safe, take it with you. Any possible hiding spot in a hotel room will be checked by thieves. Devices should only ever be taken in hand luggage, never packed in a case that is put in the hold.

Use Geo-Location with Care

While geolocation services have their uses, they can also alert thieves that you are not at home. Consider turning off these services on social media networks when you are away, and avoid posting photos taken on your travels until you return home.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.