Mobile Data Security and HIPAA Compliance
Mobile Data Security and HIPAA Compliance
Healthcare providers and other HIPAA-covered entities have embraced the mobile technology revolution and are allowing the use of Smartphones, tablets, and other portable devices in hospitals, clinics and other places of work; however, if mobile data security measures are insufficient, covered entities are at risk of violating HIPAA regulations. If that occurs, heavy fines can follow.
HIPAA and Mobile Devices and the Healthcare Industry
Many healthcare organizations choose to leverage the benefits of mobile devices, while keeping costs to a minimum. Bring Your Own Device (BYOD) schemes are introduced that permit physicians, nurses and other healthcare workers to bring their own personal devices and use them at work. Other opt to supply mobile healthcare devices to the staff; deeming it easier to maintain control and protect their networks.
Any HIPAA covered entity that chooses to use mobile devices in the workplace must implement and enforce a HIPAA mobile device policy to protect patient health data accessed through the device, stored on it, or transmitted by it. Unfortunately, while mobile healthcare devices are convenient, they are not without their risks. With hundreds or thousands of mobile devices now requiring access to a healthcare network, it is no surprise that mobile data security and HIPAA compliance have become two of the biggest concerns for CIOs, CISOs, Compliance Officers and health IT professionals.
Mobile Devices are a Potential Minefield of HIPAA Violations
Even if mobile devices are secured, there is considerable potential for the users of those devices to violate HIPAA rules or company policies – and not necessarily on purpose. There have been many recorded HIPAA violations in which the authorized exposure of PHI was accidental. Without adequate controls, devices could be compromised, and the electronic Protected Health Information (ePHI) stored on them exposed. There is also considerable potential for Smartphones, tablets and laptops to be targeted by cybercriminals, who view them as an easy entry point into healthcare networks.
Mobile healthcare devices often lack robust security controls, the devices are used to connect to networks via public Wi-Fi, and there is considerable potential for theft or loss. If patient privacy violations and HIPAA penalties are to be avoided, it is essential that mobile data security risks are thoroughly assessed and addressed.
Mobile Data Security: HIPAA Compliance Basics
One of the main aims of HIPAA legislation is to protect the privacy of patients and health plan members. HIPAA regulations force healthcare organizations and individual care providers to adopt a minimum set of standards to protect the privacy of patients and keep data secure.
Robust mobile data security and HIPAA compliance are not optional: Failure to comply with HIPAA regulations is likely to be costly. Fines of up to $1.5 million – per violation category, per year that the violation has been allowed to persist – can be issued by the Department of Health and Human Services’ Office for Civil Rights. Other federal agencies can issued fines, as can state attorneys general. There is also the considerable cost of a breach response to cover if data is potentially exposed.
HIPAA Security Rule: Risk Assessments
One of the most fundamental elements of mobile data security is the risk assessment, a mandatory requirement under the HIPAA Security Rule. It is possible to construct robust security defenses by incorporating all of the standard defense measures: Firewalls, anti-virus protection, anti-malware programs, authentication and password controls etc.; however unless a full risk assessment has been conducted, it is impossible to know whether security vulnerabilities remain.
A risk assessment must cover the entire IT infrastructure; company policies; administrative processes; physical security controls, and all systems and equipment capable of storing, transmitting or touching ePHI. The HHS offers a risk assessment tool to assist in this regard.
As hackers find new ways to exploit networks and mobile devices to steal data, healthcare organizations must work at maintaining and improving security defenses. They must address new vulnerabilities that are inadvertently introduced, or develop over time as equipment and software ages. Risk assessments must therefore be conducted regularly.
HIPAA Security Rule: Technical Safeguards for Mobile Devices
In the HHS’ HIPAA Security Series Guidelines, covered entities are informed that they “must consider the use of encryption for transmitting ePHI, particularly over the Internet.”
HIPAA-covered entities must also “Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.”
It is not mandatory to encrypt data at rest; however covered entities should bear in mind the advice given in the HHS Security guidelines regarding data in motion, “As business practices and technology change, situations may arise where ePHI being transmitted from a covered entity would be at significant risk of being accessed by unauthorized entities.”
The HHS Guidelines go on to say, “Where risk analysis shows such risk to be significant, a covered entity must encrypt those transmissions under the addressable implementation specification for encryption.”
If covered entities allow the transmission of ePHI over an open network, such as via SMS messages, this would violate HIPAA rules. The SMS network is far from secure, and the potential for ePHI being intercepted is high. To avoid a HIPAA violation and reduce the probability of a data breach, ePHI should only be transmitted via a secure channel with end to end encryption.
Data Access, Integrity and Audit Controls for Mobile Devices
HIPAA requires covered entities “to implement technical policies and procedures that allow only authorized persons to access Protected Health Information.” If mobile devices are used to access, store or transmit ePHI, they must have access controls in place to authenticate the user. Multi-layered security controls should be implemented to reduce the risk of unauthorized data access.
Any data stored on a mobile device – or transmitted by it – must have protections in place to ensure the data cannot be altered or destroyed, and controls must be put in place to allow devices to be audited. It must be possible to examine access to ePHI (and attempted access attempts), and any other activity performed on the device that has potential to affect data security.
Provided the appropriate security controls are put in place, the use of mobile devices in healthcare has huge potential to improve efficiency, productivity, reduce operational costs, as well as improve patient outcomes. The key is to make sure the devices do not place patient privacy at risk or provide criminals with an easy access point into the network.
Mobile Data Security: HIPAA Compliance Tips