If you look around you will see the overwhelming amount of mobile devices that are in use today including laptops, smartphones and tablets. Many organizations allow employees to use their own smartphones or laptops to access the organization’s email, network and data. Clients are starting to understand the risk of these devices and many have asked us the following question:
What does HIPAA say we should do to protect employee owned devices?
It is a good question and one that shows the well placed concern about all of these devices and the data that is accessed or stored on them. Clients are always looking for guidance and advice especially taking the complex HIPAA regulations and distilling them down to understandable actionable items.
Here is the bad news – HIPAA doesn’t say anything about these devices!
Back to the future – 2003
The first thing to realize is that the HIPAA Security Rule was written in 2003. Yep, 2003 which was 4 years before the first iPhone was released. Laptops started around $1,300 and were much heavier than they are today. A tablet was a stack of paper that was used for writing.
Doing a quick search of the HIPAA Security Rule Final Text reveals a few interesting things:
- The word “Smartphone” is not found in the Security Rule
- The phrase “Mobile Device” in not found in the Security Rule
- The word “Email” is not found in the Security Rule
- The word “Texting” is not found in the Security Rule
- The word “Laptop” is mentioned once in the Security Rule and only in reference to what a “Workstation” means
Workstation means an electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment.
If the HIPAA Security Rule doesn’t mention mobile devices, laptops, smartphones, email or texting how do organizations know what is required to protect these devices? While there may not be specific guidance, the HIPAA Security Rule is clear that the required Security Risk Assessment needs to take an inventory of where protected health information (PHI) is accessed or stored AND “reasonable safeguards” need to be implemented to protect the data. Basically it says that if there is data on these devices then the data needs to be protected.
Let’s go back to employee owned devices. These devices are usually referred to as Bring Your Own Device or BYOD. A lot of organizations let employees use their own devices because it is cheaper than having to purchase laptops or smartphones for employees. Employees like BYOD as well because they can use the same personal device for business and not have to have both a personal and business laptop or smartphone.
While BYOD seems good for everyone, there is a common misconception; If an employee loses a personally owned device with PHI, the organization would not be responsible for the potential data breach.
This misconception is very widespread. Unfortunately, if an organization’s PHI is on a device and the device is lost, stolen or breached regardless of who owns the device, the organization is responsible for the data breach. Employee owned devices do not relieve an organization of its responsibility to protect the data.
Organizations need to put in place BYOD Policies that put clear guidelines around how personally owned devices should be used and the safeguards that should be in place to protect any data on the devices. BYOD Policies should include:
- Who is permitted to use a personally owned device and what authorization is required?
- What devices are permitted and what are not permitted?
- What data is allowed to be accessed or stored on the devices?
- Whether encryption is a requirement (it should be!)
- What happens if the device is lost or stolen?
- What steps should be taken before an employee disposes of the device including wiping any PHI that is on the device (think about an employee upgrading a smartphone and selling the old phone on eBay)?
- What rights the organization has to wipe the data from the device if it is lost or stolen? A key issue here is that personal data may be wiped or deleted along with the organization’s data.
- What happens to the data on the device if the employee is terminated?
The trend towards BYOD and personally owned devices is not reversing anytime soon. More and more personally owned devices will be in use in the coming years and more and more sensitive data will be on these devices. Organizations face a real challenge protecting personally owned devices. Having clear policies is the first step to managing personally owned devices and minimizing the risk of a data breach due to a personally owned device.