Share this article on:
The use of mobile devices has become commonplace in healthcare, with doctors now using mobile phones to communicate with members of care teams and send updates on the status of their patients. iPads and other tablets are also often used by doctors in hospitals when conducting their rounds and physicians and other healthcare professionals use laptop computers and Smartphones when visiting patients to provide homecare services.
The rapid growth of portable devices in healthcare has undoubtedly improved the care that patients receive, yet the extensive use of mobile devices increases the risk of ePHI being accessed by unauthorized personal or being stolen by cybercriminals. Mobile devices are now a major problem area and many healthcare organizations are struggling to implement procedures and policies to ensure all their devices are made HIPAA compliant.
Fortunately, healthcare organizations have been given some help in this regard, with both the Office for Civil Rights and the Office of the National Coordinator having provided guidelines and tips which healthcare professionals can follow to ensure that their devices are made secure and ePHI is properly protected.
The advice has been published on HealthIT.Gov, which lists a series of steps that can be taken to ensure that ePHI is not accidentally disclosed and security holes are effectively plugged. A series of simple measures have been provided, and while many are obvious security measures to take, these security procedures are not being followed by many healthcare organizations. The procedures and practices include the following data security measures:
- Secure all mobile devices with a password – PIN numbers and passwords must be used to prevent access to mobile devices and passwords must be masked while they are typed to prevent unauthorized persons from viewing the passcodes.
- Use data encryption software on all databases containing ePHI and employee data.
Install software that enables a device to be remotely accessed so that data erased in case the device is lost or stolen. As a minimum safety measure mobiles and laptops must have the facility to be remotely disabled in case of loss or theft.
- Disable file sharing – File sharing is a feature of modern operating systems which enable users to easily share data; yet this facility can be a major security hole that leaves laptops and mobile devices wide open to cybercriminals. Data can be accessed and copied without the knowledge of the user if file sharing is enabled.
- Firewalls must be installed on all servers, but also on mobile devices. The firewall must remain active at all times.
- Anti-virus and anti-malware software should be installed to prevent viruses and other harmful software from creating security holes. The software licenses must be monitored, updates to virus definitions should be set to automatic and regular scans should be conducted on all devices.
- Scrutinize mobile applications before installation – When installing mobile phone apps, permission must be granted to allow the app to access certain information. It is essential that all security and privacy information is scrutinized before an app is installed to ensure it is not unwittingly given access to ePHI held on the device.
- Physically secure all devices – Because small electronic decides can easily be lost or stolen, all staff must take care to ensure that their devices are not left unattended.
- Secure devices using public Wi-Fi – Wi-Fi must only be used to connect to the internet if that connection has been encrypted. Public Wi-Fi can easily allow hackers and the owners of the routers to access the data on devices connected via their networks.
- Use encryption software for text messages – Text messages can be easily intercepted and may remain on remote servers for a considerable period of time, exposing data to any individual with access to the servers. Encryption software for mobile devices is essential.
- Securely erase all data – Even deleted files can be recovered so it is essential that all data is securely erased before a device is decommissioned, disposed, sold on or returned to a leasing company.
Following all of these basic security procedures will help to ensure mobile devices are made HIPAA compliant and the ePHI of patients is properly protected.