Mobile Devices Under HIPAA Rules: Will Geofencing Boost Data Security?

Making healthcare mobile devices secure is a challenge faced by all healthcare providers. It is essential, under HIPAA Rules, to ensure that all medical devices – and the data they contain – are safeguarded and protected against misuse. However, the view from IT professionals is that device users are not being as careful as they should be.

According to a recent Cisco Systems report, IT professionals believe that employees are engaging in highly risky behaviors that are potentially putting personal and healthcare data at risk. The report indicates that 70% of IT professionals believe that data breaches have been caused by the use of unauthorized programs in more than 50% of cases. The survey also indicates that 44% of employees are sharing work devices against company policies, while almost four out of 10 respondents have said that they have had to deal with employees who have accessed parts of a network that they were not authorized to enter.

Perhaps even more worrying is the fact that 46% of employees admitted to transferring data from a work device to a personal computer to allow them to work from home. In the case of healthcare professionals, this action could well result in a violation of HIPAA Privacy and Security Rules.

Improving Healthcare Data Security: Is Geofencing the Answer?

Geofencing is a technique that can be used to improve healthcare data security by limiting the information that individuals can access on devices and also the physical locations where access is permitted. A geo-fence is a virtual perimeter that can be applied to software which corresponds to a geographical boundary in the real world. It is possible to set virtual boundaries by using Global Position Satellite (GPS) signals or Radio Frequency Identification (RFID).

In a healthcare environment, geofencing could allow IT professionals to exercise greater control over PHI and where it can be accessed. For example, a laptop computer that is used in a hospital can have a geo-fence installed which will only allow PHI to be accessed within the boundaries of the building. If that laptop is taken out of the hospital, administrators will be able to remotely – and automatically – prevent hospital systems from being accessed.

It is also possible to set up multiple geofences to allow devices to be used in any hospital run by a healthcare provider, or even to include physicians’ homes within the fences. In addition to limiting the physical locations where data can be accessed, it is also possible to use the technique to track employee devices, restrict the applications that can be used and the websites that can be visited, or for access to be restricted to specific working hours.

According to Roman Foeck, the founder and CEO of CoSoSys – a company that employs geofencing – the system is not infallible as it is possible to fool the GPS and therefore get around the perimeters applied by healthcare IT professionals. In the case of CoSoSys, this issue was tackled by the use of other beacons in addition to a GPS signal, such as Wi-Fi or Bluetooth. Foeck says, “If you rely on a second factor — like proximity to some other devices, such as secure beacons that act as tokens — that cannot be spoofed,”

Provided the privacy and security concerns are addressed and geofencing can be made secure – and infallible – the benefit to the healthcare industry could be considerable. Geofencing could potentially prevent many HIPAA breaches from occurring, especially in the case of lost or stolen mobile healthcare devices.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.