Understanding best practices for mobile device security in today's healthcare environment can be challenge for many organizations. As mobile devices such as tablets and smartphones become more powerful, they become more useful to your health organization. This usefulness often times translates into more risk for the organization. Best practice security for both company-owned devices and personal devices requires proactive policies, implementation of those policies, as well as employee training on the policy and acceptable use of the device.
Understanding HIPAA
The Health Insurance Portability and Accountability Act of 1996 required the Secretary of the U.S. Department of Health and Human Services to develop regulations protecting the privacy and security of certain health information. To meet this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule.
The Privacy Rule
The Privacy Rule establishes national standards for the protection of certain health information. This rule refers to individually identifiable health information that can be linked to a particular person such as:
- The individual's past, present or future physical or mental health
- The provision of healthcare to an individual.
- The past, present or future payment for the provision of healthcare to the individual
The Security Rule
When discussing mobile device security best practices, we are primarily concerned with the Security Rule provisions. The HIPAA Security Rule applies to individual identifiable health information in electronic form, typically known as electronic protected health information. The Security Rule addresses the technical and non-technical safeguards that organizations called must put in place to secure individuals' ePHI outlined in the Privacy Rule. The Security Rule established a national set of security standards for protecting ePHI specifically how it is stored, maintained or transmitted.
The 5-step process
The Office of the National Coordinator for Health Information Technology has outlined the five basic steps organizations can take to manage mobile devices used by health care providers and professionals. Healthcare organizations can use the five steps to help develop and implement mobile device policies and procedures to safeguard patient health information.
The five steps are outlined on the ONC's website (HealthIT.gov) as follows:
- Decide – Decide whether mobile devices will be used to access, receive, transmit or store patients' health information or used as part of your organization's internal networks or systems.
- Assess – Consider how mobile devices affect the risks to the health information your organization holds.
- Identify – Identify your organization's mobile device risk management strategy, including privacy and security safeguards.
- Develop, Document and Implement – Develop, document and implement the organizations mobile device policies and procedures to safeguard health information.
- Train – Conduct mobile device privacy and security awareness and training for providers and professionals.
Best practices – Securing the device
So you've made it through your five step process and decided to allow mobile devices on your organizations network, and perhaps even allowed a "bring your own device" policy to allow employees to use their personal mobile devices to access your corporate network. Here are some basic tips for securing the devices that help meet your compliance requirements.
1. Use a device key, password or other user authentication. Authentication is the process of verifying the identity of a user, process, or device. Mobile devices can be configured to require passwords, personal identification numbers or passcodes to gain access to it. The password, PIN or passcode field can be masked to prevent people from seeing it. Mobile devices should also be set to activate their screen locking after a set period of device inactivity to prevent an unauthorized user from accessing it.
2. Install and/or enable encryption. Encryption protects health information stored on and sent by mobile devices. Mobile devices can have built-in encryption capabilities, or you can buy and install an encryption tool on your device. If the device is lost or stolen, encryption makes it difficult to read the data on the device. It is important with some devices to make sure that you setup encryption on any device backups as well. Newer Apple devices have this built into hardware and when combined with the key lock have a feature called data protection enabled automatically. Android devices typically require that you enable this per device, which can take a little time but should be a mandatory requirement.
3. Install and activate remote wiping and/or remote disabling. Remote device wipe allows you to remove all data from the device in the event it is lost or stolen. Some mobile device management software allows for greater control and selective removal of only corporate data.
4. Disable and do not install or use file-sharing applications. Use of file sharing is software such as Dropbox and the like should be carefully examined. These types of software often allow you to copy information from applications like email directly to the software cloud provider. This could mean that ePHI is moved off the mobile device and out of the control of your organization. To prevent these data leaks, disable this type of software or utilize MDM software that can containerize the ePHI and prevent data copy.
5. Keep your software up to date. When you regularly update your security software and operating systems, you have the latest tools to prevent unauthorized access to health information on or through your mobile device.
6. Research mobile applications before downloading. Using only the official application stores such as iTunes or Google Play help protect your mobile device as these apps are put through a more careful screening process to help avoid malware. As a rule, devices that are jailbroken (Apple) or rooted (Android) should not be allowed in your policy. These devices have circumvented some of the manufacturer's controls, which allow them to install software from unprotected sources.
7. Use adequate security to send or receive health information over public Wi-Fi networks. Public Wi-Fi networks can be an easy way for unauthorized users to intercept information. You can protect and secure health information by only sending or receiving it when using a Virtual Private Network connection when connected to a public Wi-Fi network. The VPN connections are encrypted which helps ensure that data is not readable if it is intercepted on the public network.
Conclusion
Implementing mobile devices in your organization can add a lot of value for your team when the proper balance between security and usability is achieved. Not every item may fit your company's particular need or workflow, but these tips form a solid foundation for mobile device security and understanding these best practice guidelines will help you understand your corporate risk. Proper planning, policy creation, implementation of controls and most importantly training for your users will help ensure your data's protection and eliminate the risks typically associated with mobile devices.
Bob Seaman leads Ancero's technical strategy, which includes the research and testing of new technologies. He also serves as the leader of the technical education track for the engineering team. Seaman designed and implemented Ancero’s award winning managed services practice, which is the cornerstone of the company’s technical offerings, and works closely with the sales team in designing and presenting solutions for Ancero’s key clients. He holds numerous industry certifications and has worked with the New Jersey Technology Council and the New Jersey Association of Mental Health Agencies.