Share this article on:
Mobile devices have potential to improve efficiency in the healthcare industry, which in turn leads to increased productivity of the workforce and a reduction in operational costs. However, tablets, Smartphones, laptops and other portable networked devices also introduce new security risks, and can potentially give hackers an easy entry point into a healthcare network.
Unfortunately, banning the use of mobile devices in the workplace is no longer a feasible option. The only choice for healthcare providers and other HIPAA covered entities is to leverage the benefits of the devices, while mitigating the risks they pose, as far as is practical and possible.
Mobile Devices Carry a High Risk of PHI Exposure
Mobile devices carry a high risk of accidental PHI exposure. The devices can be used to connect to healthcare networks and view PHI in many cases, and data can also be stored on the devices; however since they are portable, they are also easily lost or stolen.
They can also be used to connect to healthcare networks via insecure public Wi-Fi, and apps are often downloaded to the devices that contain serious security vulnerabilities. Healthcare providers operating Bring Your Own Device schemes can struggle to retain control of the devices and ensure employees adhere to company mobile usage policies.
With hundreds or thousands of mobile devices allowed to connect to a network, it is only a matter of time before security vulnerabilities are exploited by criminals if they are allowed to persist.
HIPAA Compliance Starts with a Risk Assessment
Mobile devices introduce new data security risks, so unless a comprehensive risk assessment is performed, security holes are likely to go undetected. A risk assessment is a requirement of the HIPAA Security Rule, and the Department of Health and Human Services’ Office for Civil Rights (OCR) is currently cracking down on organizations that fail to conduct this most basic of data security measure.
With hackers targeting healthcare organizations for the data they hold, a failure to thoroughly look for security vulnerabilities is likely to be classed as willful disregard of HIPAA Rules. The OCR has recently issued financial penalties to two organizations for the failure to conduct a comprehensive risk assessment.
Mobile Device Risk Management
Have you performed a risk assessment recently? Are you confident the risk of a data breach via healthcare mobile devices has been mitigated?
Healthcare Mobile Device Security Risks
Common risk management strategies and common mobile device security risks have been summarized in the infographic below.