Camella Boateng, an expert on HIPAA makes the point that “Most HIPAA breaches involve mobile devices. Such breaches dominate the under 500 patient breaches, which has masked the true number of such breaches is masked. The publicity of these types of breaches is likely to change as OCR begins implementing their new policy to investigate breaches under 500. Of particular note, the OCR has announced that in selecting organizations for audit, one factor will be whether or not they reporting minor breaches. From experience, they expect that almost any organization will have a HIPAA breach of some sort or another over time; and therefore those that report no breaches can be considered suspect.” She offered the following checklist of tips on mobile device security and precaution.
- Provide management, accountability, and oversight structures for covered entities.
- Establish policies, protocols, processes, and procedures for mobile device use.
- Provide training on the bring your own device (BYOD) policy.
- Keep an inventory of personal mobile devices authorized to access and transmit electronic protected health information (ePHI).
- Use a device key, password, or other user authentication to verify user identity.
- Install and/or enable encryption that protects protected health information (PHI) stored on and sent by mobile devices.
- Install or enable firewalls and regularly update security software (such as malware).
- Install or activate remote wiping and/or disabling.
- Reinforce constantly to keep devices under personal control or under lock and key.
- Install radio frequency identification (RFID) tags to help locate lost or stolen mobile devices.
- Establish remote shutdown tools that can remotely lock lost mobile devices.
- Disable or do not install file-sharing applications on devices used for ePHI transmission.
- Establish electronic processes to ensure unauthorized parties do not destroy or alter ePHI.
- Conduct training on procedures for using mobile devices to access ePHI.
- Educate clinicians on the risks of data breaches, HIPAA violations, and fines.
- Delete all stored PHI before reusing or discarding a device.
After following all of the above steps, perform an outside independent security risk assessment to determine (a) if personal mobile devices are being used to exchange ePHI; (b) which devices are used on internal networks; (c) what information is accessed, received, stored, and transmitted; (d) whether proper authentication, encryption, and physical protections are in place to secure the exchange of ePHI; and (e) whether users have been properly trained on security procedures.
Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.