10 Steps Healthcare Facilities Should Take to Ensure the Security of ePHI When Employees Use Smartphones
It’s estimated that 74 percent of hospital workers use tablets or other mobile devices to collect and share information about patients.1 And although smartphones and other mobile devices can provide many benefits in the healthcare setting, using them also presents a number of risks.
Unless they are used safely, electronic Protected Health Information (ePHI) can be exposed, and malware and viruses can enter a facility’s IT network. Without adequate safeguards in place, this can lead to costly HIPAA violations.
Hospitals, medical clinics and healthcare entities must comply with HIPAA Privacy and Security Rules to protect and secure patients’ information, even when using mobile devices like a smartphone.
Banning smartphones isn’t the answer. When a patient is in pain, every minute counts. If there isn’t an order for pain medication in the patient’s record, a nurse must consult with their physician. In this instance, using a mobile phone can speed up the process. However, this, and other smartphone communications must be handled in a secure manner to protect the healthcare facility’s IT systems, and safeguard patient privacy.
Smartphone Data Breaches and HIPAA/HITECH
CIOs and technology professionals in healthcare facilities are concerned that the increase in smartphone usage increases the chances of security breaches where ePHI is revealed. The HIPAA Privacy Rule mandates that covered entities “reasonably safeguard” PHI from any intentional or unintentional use or disclosure that is in violation of the rule’s standards. It also outlines provisions for ensuring the confidentiality, integrity, and availability of PHI that is transferred or held in electronic form.
Covered entities include not only healthcare facilities but individual providers.
The HIPAA Security Rule outlines provisions for ensuring the confidentiality, integrity, and availability of PHI that is transferred or held in electronic form.
HIPAA concerns include:
- Theft or loss of a smartphone that has PHI on it.
- Staff or volunteers taking and distributing unauthorized photos.
- Staff revealing PHI on social network pages—for example, by posting text or photos that could be classified as individually identifiable health information.
- Unauthorized individuals accessing the healthcare facility’s systems.
- Staff or physicians forwarding an unencrypted email that contains PHI from their organizational account to a personal account that does not have reasonable safeguards to protect PHI.
Data breaches involving patient information can lead to costly fines and settlements–and even criminal penalties. And the health information privacy laws and regulations in some states are even more extensive than federal HIPAA regulations.
Under the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, breaches of unsecured PHI must be reported to the affected individual, to the U.S. Secretary of Health and Human Services, and in certain cases, to the media. Both HIPAA and HITECH emphasize the importance of privacy and security with the use of ePHI when using smartphones and mobile devices.
Improper Smartphone Use Can Spread Viruses and Malware.
“Security of Mobile Computing Devices in the Healthcare Environment,” (by the HIMSS Mobile Security Work Group) warned that “as the popularity of mobile computing devices increases, so too does the possibility that someone will create malware that is intended to impact its use or compromise patient data.”
When used in a healthcare (or any) environment, smartphones should be routinely updated with the latest antivirus software and malware protection. This is not always an easy task and should be handled by a certified, IT expert (Managed Service Provider).
And because caregivers and providers are the first lines of defense, they must undergo Security Awareness Training to be educated about unsafe practices, such as opening suspicious attachments or clicking on questionable links.
Without a clear understanding regarding safety when using smartphones, and the potential negative effects (security breaches), users may ignore a healthcare facility’s security policies. This emphasizes the need for user education about the risks and consequences of not following security policies.
10 Steps Healthcare Facilities Should Take to Ensure Data Security When Employees Use Smartphones:
- Devise and implement policies to control who can view and access smartphone data.
- Assess the content of email messages and file attachments to automatically identify ePHI.
- Make sure caregivers use two-factor authentication and digitally signed documents so only authorized users can access and transfer ePHI.
- Disable SMS (Short Message Service) preview on smartphones. This prevents others from viewing text messages without authority.
- Disable speech recognition features like Siri, Cortana or other personal assistants. If not, unauthorized users can gain access to software on smartphones.
- Use strong passwords that are hard to guess. They should contain at least six characters with a combination of both upper and lower-case letters, with at least one number and one keyboard character.
- Change passwords often and at least quarterly.
- Set smartphones for automatic logoff. If the phone is lost or stolen the culprit would need the password to open it.
- Set smartphones to limit the number of unsuccessful login attempts.
- If a violation is detected:
- Stop and quarantine the interaction.
- Remove the attachment from the email.
- Return a message to the original sender.
- Notify a manager.
- Retract the information.
- Re-route and encrypt* the email for secure delivery.
*There are a number of ways to encrypt data in transit. Two include using a virtual private network (VPN) or a secure browser connection. The National Institute of Standards and Technology (NIST) has several Special Publications regarding encryption processes for data in motion, including SP 800-52 [PDF – 3.2 MB] and SP 800-77 [PDF – 255 KB]. SP 800-52 has information about transport layer security (TLS). (Contact your IT Managed Service Provider for more information.)
Mobile Device Management
Some mobile devices have a remote disabling and wiping feature built in. Remote wiping is a security feature that enables you to remotely erase the data on your smartphone if it’s lost or stolen. When you enable it, you have the ability to permanently delete data stored on your phone.
When using smartphones in a healthcare setting, it’s imperative that your IT Provider implements and deploys a professional Mobile Device Management (MDM) Solution.
A Professional MDM Solution Protects ePHI with:
- The ability to locate, lock and wipe ePHI from a stolen or lost smartphone or mobile device.
- Continuous remote monitoring and management of all authorized mobile devices.
- Secure passcode implementation and enforced encryption.
As you can see, using smartphones always presents a number of risks, especially in a healthcare environment. And, unless you adequately safeguard patient data stored or in transit, unauthorized access to the healthcare facility’s systems could occur leading to ePHI breaches and HIPAA/HITECH violations. Executives and administrators should take necessary steps to prevent this by working with IT professionals who are certified in the latest security solutions.