Few technical innovations are transforming the healthcare landscape as much as mobile devices. With nearly 90% of physicians now carrying a smartphone or tablet, they’ve become almost as ubiquitous as the stethoscope.
Yet when it comes to HIPAA, the difference between these two “instruments of care” could not be greater. Consider the following examples:
Case 1: Back in 2014, Catholic Health Care Services (CHCS) of the Archdiocese of Philadelphia was serving as an active business associate to six skilled nursing facilities, providing information technology services.
Unfortunately, one of their iPhones containing the unencrypted, protected health information of 412 nursing home patients – including social security numbers, diagnosis and treatment information, and the names of family members and legal guardians – was stolen.
The resulting breach led to a $650,000 HIPAA fine.
In addition to meeting the fine, CHCS agreed to a corrective action plan. While assessing the fine, OCR also took into account the critical services provided to Philadelphia’s elderly, developmentally disabled, foster care system, and HIV/AIDS patients, the OCR director noted.
Case 2: In 2019, the University of Rochester Medical Center (URMC) agreed to pay a hefty OCR fine for the impermissible disclosure of epHI from mobile devices, stemming from 2 separate incidents: the loss of an unencrypted flash drive back in 2013, and the 2017 theft of an unencrypted laptop.
We should note that URMC had also failed to conduct an enterprise-wide risk analysis, implement security measures to reduce risks and vulnerabilities, utilize device and media controls, and employ encryption when it was reasonable to do so.
The damages? A $3 million HIPAA fine.
The range of mobile devices revealed in these incidents should clearly raise our security caution level. As OCR Director Jocelyn Samuels noted after the CHCS breach:
“…business associates must implement the protections of the HIPAA Security Rule for the electronically protected health information they create, receive, maintain, or transmit from covered entities. This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.”
A number of factors concerning mobile devices in healthcare contribute to the need for added caution:
- as noted, overall mobile device use – including smartphones, tablets, and other devices – has been steadily increasing. While allowing faster access to ePHI – a positive trend for improving patient care – the practical “attack surface” for cybercriminals has also increased
- password protections are not frequently used – particularly on mobile phones – which was also the case with CHCS
- due to their size, mobile devices tend to be misplaced, lost, and stolen more easily than larger computers, making protections all the more necessary
- physicians, as well as business associates, often forget about the necessity of encrypting their emails
Securing Mobile Devices
Ultimately, the responsibility for mobile device management falls to the covered entities and their business associates. According to OCR’s investigation, CHCS had no policy in place addressing the removal of mobile devices containing PHI from its facility, nor what to do in the event of a security incident – both which likely would have been addressed in a risk management assessment.
A number of companies, including Google, are now offering mobile device management and encryption to keep ePHI secure. In addition, the National Institute of Standards and Technology (NIST) has issued mobile guidelines for healthcare security engineers and providers.
In general, the NIST standards advise the following:
- All mobile devices should be registered with the organization, and individually authorized to add, modify, remove, and access PHI
- Passcode protection should be enabled, and mobile devices encrypted
- Enable security policies for mobile security, and certificates to prove the authenticity of users and devices
- Devices should only access a specific Wi-Fi (WPA2) created for mobile devices
Additional security measures that organizations can pursue include ensuring multi-factor authentication (MFA), automatic locking and logoffs, remote wiping capabilities, and regular security patching and updates.
Another area of concern with mobile devices containing ePHI is the use of 3rd party apps – some used for medical purposes. Although at first glance these apps may seem innocuous, they may in fact provide a window for viewing ePHI. Organizations will need to evaluate (risk assess) and address in their policies the use and downloading of any such apps by employees.
Your Devices are Only as Compliant as You Are
Technical controls on all devices used for ePHI are critical; yet only when they become part of a larger, enterprise-wide program of HIPAA compliance will your organization be secure. This includes people, policies, and practice.
Need to talk to someone about strengthening your security posture, and becoming HIPAA compliant? Give us a call: 760-290-3460
About HIPAA Vault:
HIPAA Vault is a leading provider of HIPAA compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. Advanced security measures are needed to ensure HIPAA compliance, and customers trust HIPAA Vault to mitigate risk, actively monitor and protect their infrastructure and ensure that systems stay online at all times. www.hipaavault.com