While mobile devices play a major role in how we stay connected to the world in our personal lives, they are also becoming increasingly popular in our work environments. Not only are mobile devices such as smartphones, tablets and laptops convenient in the workplace, but they can also help increase productivity.
In its October cybersecurity newsletter, the Office for Civil Rights (OCR) discusses the pros and cons of utilizing mobile devices in the work place and provides tips on how to best protect these devices when accessing ePHI.
Of course, with convenience comes risk, and entities regulated by the HIPAA Privacy, Security, and Breach Notification Rules must be sure to include these mobile devices in their enterprise-wide risk analysis, according to the OCR. Not only is it crucial to include these mobile devices in the risk analysis, but entities must act on the detected risks associated with their mobile devices in order to reduce them.
Due to their small size and portability, mobile devices are at a greater risk of being lost or stolen. A lost or stolen mobile device containing unsecured ePHI can lead to a breach of that ePHI which could trigger HIPAA breach notification obligations for a HIPAA covered entity or its business associate (the entity).”
The OCR explains that if an entity does not allow personal mobile devices to be used for work related purposes, specifically for functions involving ePHI, policies must be created and enforced making it clear that these devices are prohibited.
Beware of unsecure default settings
Much like computers, mobile devices may come with default settings which may not be secure, especially when it comes to accessing or storing ePHI.
Such default settings may enable connectivity to unsecure Wi-Fi, Bluetooth, cloud storage, or file sharing network services. Entities should take steps to ensure that mobile devices are properly configured and secured before allowing the device to create, receive, maintain, or transmit ePHI.”
Training is a crucial part of keeping mobile devices secure. Employees should be trained on the risks of a virus or malware infecting their device. Similar to a virus or malware infecting a computer, an infected mobile device could result in unauthorized individuals accessing information, ultimately leading to a breach of PHI. Not only could a mobile device become an issue due to malware, but applications could also wreak havoc leading to a breach.
A seemingly innocuous mobile app or game could access your contacts, pictures or other information on your mobile device and send such data to an external entity without your knowledge.”
If mobile devices are being used in the work place, it is important that they are reviewed and modified regularly, not just initially upon setup.
Tips for protecting and securing PHI on mobile devices
- Implement policies and procedures regarding the use of mobile devices in the work place – especially when used to create, receive, maintain or transmit ePHI.
- Consider using Mobile Device Management (MDM) software to manage and secure mobile devices.
- Install or enable automatic lock/logoff functionality.
- Require authentication to use or unlock mobile devices.
- Regularly install security patches and updates.
- Install or enable encryption, anti-virus/anti-malware software, and remote wipe capabilities.
- Use a privacy screen to prevent people close by from reading information on your screen.
- Use only secure Wi-Fi connections.
- Use a secure Virtual Private Network (VPN).
- Reduce risks posed by third-party apps by prohibiting the downloading of third-party apps, using whitelisting to allow installation of only approved apps, securely separating ePHI from apps, and verifying that apps only have the minimum necessary permissions required.
- Securely delete all PHI stored on a mobile device before discarding or reusing the mobile device.
- Include training on how to securely use mobile devices in workforce training programs.