As the BYOD (bring your own device) trend increases in the workplace, hospitals are finding it necessary to focus more on mobile security. Mobile computer devices and BYOD policies allow healthcare professionals to work from their own personal devices from wherever they are, increasing productivity and team collaboration capabilities. However, along with the benefits of BYOD, come many security risks.
Because health care facilities must protect patients’ personal health information (PHI) they must ensure these mobile devices, and their employees, comply with regulatory guidelines. All healthcare entities and their business associates are required to adhere to HITECH* and HIPAA** guidelines to avoid security risks of BYOD.
Steps to Take
In order to avoid the risks and consequences of data breaches, healthcare professionals must take additional steps to maintain the protection of PHI while using enterprise mobile communication solutions.
Healthcare entities and professionals should abide by the following advice:
- Don’t Store PHI on Mobile Devices
Consumer-oriented mobile messaging apps claim to be protected and secure, but most aren’t HIPAA compliant. These apps store data on a device without encryption. Ideally, healthcare communication apps should offer access to messages only when the user is logged in, and encrypt all data using a robust algorithm such as an advanced encrypted standard.
- Ensure Remote-Wipe Capabilities
HIPAA doesn’t require the ability to remotely wipe a device, but it should be an essential administrative practice in any BYOD program. Being able to wipe a device remotely avoids security problems when an employee leaves the company, or a device is lost or stolen. Many organizations use Mobile Device Management platforms, in order to manage devices that have access to sensitive data.
- Vendors and its Sub-Vendors Must Also Comply with the HIPAA Omnibus Requirements
In January, the OCR (Office for Civil Rights) announced a HIPAA Omnibus Rule to increase a patient’s privacy protections, and provide individuals with new rights regarding their health information, while also increasing the government’s ability to enforce the law. The changes apply to business associates such as contractors and subcontractors, as well as covered entities. In addition, the changes increase the HITECH Breach Notification requirements by clarifying when breaches must be reported to HHS (Health and Human Services). Healthcare organization vendors must obtain Business Associate Agreements (BAA), as well as BAAs with its sub-vendors.
- Use Two-Level Security To Login to Enterprise Apps
First, an organization should enable each provider to use their same hospital system login credentials to access apps. Second, use a separate PIN for access to mobile apps. When inactivity occurs, a disconnect time-out should deploy as well.
- Audit Mobile Devices on a Regular Basis
Organizations should implement an auditing schedule for any devices used in the transmission of work-related information. This ensures compliance with regulatory requirements. Conduct a technical review/risk audit of all devices, including information regarding when the devices are used, as well as who uses the device.
- Update Security Software and Applications on Devices
Ensure security software on the device is updated regularly. The wireless carrier or manufacturer will typically send software updates to mobile devices. However, ensure the entire staff installs security software updates as soon as possible.
- Permit Integrations with File-Sharing/Hosting Services
Cloud storage and file sharing services, such as Evernote and Dropbox, aren’t HIPAA compliant. Avoid using these services for the transmission of PHI. There are a few vendors, such as CloudPrime’s QuickDrop, that offer HIPAA-compliant cloud file sharing. It’s important to research and ask vendors for an in-depth review of their security protocols.
Mobile devices can immensely enhance the communication and collaboration capabilities for healthcare professionals. However, healthcare IT organizations must protect patient information and ensure regulatory compliance to benefit from the BYOD trend. Although some of the advice listed above isn’t required under HIPAA, it will provide a solid foundation for best practices within a healthcare organization.
What to Do?
Contact your Healthcare IT service Provider who can run a HIPPA/HITECH security assessment of your IT infrastructure and mobile devices. This could help you avoid costly fines for regulatory noncompliance.
** HIPAA https://www.hhs.gov/ocr/privacy/