HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Have Your Mitigated Your Mobile Device Security Risks?

Mobile devices have potential to improve efficiency in the healthcare industry, which in turn leads to increased productivity of the workforce and a reduction in operational costs. However, tablets, Smartphones, laptops and other portable networked devices also introduce new security risks, and can potentially give hackers an easy entry point into a healthcare network.

Unfortunately, banning the use of mobile devices in the workplace is no longer a feasible option. The only choice for healthcare providers and other HIPAA covered entities is to leverage the benefits of the devices, while mitigating the risks they pose, as far as is practical and possible.

Mobile Devices Carry a High Risk of PHI Exposure


Mobile devices carry a high risk of accidental PHI exposure. The devices can be used to connect to healthcare networks and view PHI in many cases, and data can also be stored on the devices; however since they are portable, they are also easily lost or stolen.

They can also be used to connect to healthcare networks via insecure public Wi-Fi, and apps are often downloaded to the devices that contain serious security vulnerabilities. Healthcare providers operating Bring Your Own Device schemes can struggle to retain control of the devices and ensure employees adhere to company mobile usage policies.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

With hundreds or thousands of mobile devices allowed to connect to a network, it is only a matter of time before security vulnerabilities are exploited by criminals if they are allowed to persist.

HIPAA Compliance Starts with a Risk Assessment


Mobile devices introduce new data security risks, so unless a comprehensive risk assessment is performed, security holes are likely to go undetected. A risk assessment is a requirement of the HIPAA Security Rule, and the Department of Health and Human Services’ Office for Civil Rights (OCR) is currently cracking down on organizations that fail to conduct this most basic of data security measure.

With hackers targeting healthcare organizations for the data they hold, a failure to thoroughly look for security vulnerabilities is likely to be classed as willful disregard of HIPAA Rules. The OCR has recently issued financial penalties to two organizations for the failure to conduct a comprehensive risk assessment.

Mobile Device Risk Management

Have you performed a risk assessment recently? Are you confident the risk of a data breach via healthcare mobile devices has been mitigated?

Healthcare Mobile Device Security Risks

Common risk management strategies and common mobile device security risks have been summarized in the infographic below.


Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.