SCGhealth Blog

OCR issues new warning about protecting patient information on mobile devices

Monday, November 13, 2017

By Marla Durben Hirsch, contributing writer

Tread carefully if you store, send, receive or transmit electronic patient protected health information (ePHI) via a laptop, iPhone or other portable electronic device. The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued a new alert about the vulnerability of such information.

The alert, released in a newsletter October 31, notes that while mobile devices are convenient and easy to use, the ePHI is particularly difficult to keep secure. The devices are usually on default settings, enabling them to connect to unsecure Wi-Fi, Bluetooth, cloud storage or file sharing network services, where others can access the data. It is common for users to inadvertently download malware or viruses, which can hack into or corrupt the data on the device. And the devices themselves are frequently lost or stolen. 

For example, more than 27% of the breaches of 500 or more patient records archived on HHS’ HIPAA breach “wall of shame” were due to the loss or theft of a laptop or other portable device. That figure doesn’t even include potentially related breaches, such as emails containing ePHI sent from a mobile device to the wrong recipient or that were intercepted. 

“As mobile devices are increasingly and consistently used by covered entities and business associate[s] and their workforce members to store or access ePHI, it is important that the security of mobile devices is reviewed regularly, and modified when necessary, to ensure ePHI remains protected,” OCR says in the alert. 

OCR recommends that entities: 

  • Include mobile devices when conducting their HIPAA-required security risk analyses to identify vulnerabilities that could compromise patient data and take action to reduce any vulnerabilities or risks found.
  • Implement policies and procedures regarding the use of mobile devices in the work place, especially when used to create, receive, maintain, or transmit ePHI.
  • Consider using Mobile Device Management (MDM) software to manage and secure mobile devices.
  • Install or enable automatic lock/logoff functionality.
  • Require authentication to use or unlock mobile devices.
  • Regularly install security patches and updates.
  • Install or enable encryption, anti-virus/anti-malware software, and remote wipe capabilities.
  • Use a privacy screen to prevent people close by from reading information on your screen.
  • Use only secure Wi-Fi connections.
  • Use a secure Virtual Private Network (VPN).
  • Reduce risks posed by third-party apps by prohibiting the downloading of third-party apps, using whitelisting to allow installation of only approved apps, securely separating ePHI from apps, and verifying that apps only have the minimum necessary permissions required.
  • Securely delete all ePHI stored on a mobile device before discarding or reusing the mobile device.
  • Train staff on how to securely use mobile devices. 

Don’t expect leniency on this one
OCR’s concern about protecting patient data on portable devices is not new. The agency has previously published resources on this topic, including videos, checklists and FAQs. But the fact that OCR felt a need to repeat itself indicates that it believes that entities are not “getting the memo” and are not taking proper precautions. 

It also shows that this is a front burner issue for the agency, and that entities which fail to comply despite the plethora of repeated guidance are more likely to face harsher punishment. 

Takeaway: Entities that suffer a breach of ePHI related to a mobile device are not going to be able to defend themselves on the ground that there was no guidance to help them protect the data. Now’s a good time to assess your office’s use of portable devices and reduce the risk that patient information will be exposed.

Electronic HIPAA Violations

Thursday, July 20, 2017

Written by Nasir Abbas


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is pretty ancient. It passed through Congress in 1996, but the first regulation didn’t come out until 2003. The federal law established mandates the security and protection of sensitive patient information: protected health information (PHI) and personally identifiable information (PII). Two separate regulations cover how to keep this info private and secured.


We’ve published several blogs in the past discussing appropriate disposal of physical information and the risks associate with carelessness. Now let’s look at the electronic side of HIPAA. According to Joseph Mutlu, former Executive Vice President of Information Technology at SCG Health, two of the most often overlooked security safeguards pertain to inventory management. “Currently we are utilizing more and more removable storage options. These devices are easily lost and/or stolen, so it is wise to always keep a running inventory of these devices if they contain any sensitive information” observed Mutlu. The second issue is related to the systems themselves. “CPU cases contain the hard drive to your computer and can/should be locked. Anyone with the technical skills and know-how can effortlessly remove the hard drive in a matter of seconds, without the use of any tools.” If computers are left unattended, especially with distracted staff, one could slip out the hard drive and easily go weeks – maybe even months – undetected. By the time anyone realizes what has happened, whatever information was being stored on that hard drive would have been long gone.

Though these tips are highly beneficial and interesting, there are two procedures that should be followed to a T if you wish to protect yourself and your practice as best as possible. These two steps, if taken appropriately, make sure that even if your device is stolen or lost, your information remains hidden. Those measures are encryption and deletion.


With that being said, it is unfortunate that the protocols that most businesses are improperly executing are encryption and deletion. Encryption is the scrambling of data files, only legible to those with the decryption key. This ensures that if sensitive information were to fall into the wrong hands, said information would still be protected. “Always make sure that when sending encrypted files via email that you send two separate emails – one with the encrypted file and another with the key. Doing so protects you and the recipient in the case that one email was to be intercepted, it would be useless without the other,” says SCG Health CEO Jennifer Searfoss.

Deletion refers to the APPROPRIATE removal of information from networks and devices. Believe it or not, there is more to deletion than just emptying the recycling bin. If that is your method of electronic disposal, you are in dangerous territory. The truth is that information is still there and is far from gone. Anyone with the time and patience can retrieve that information. Just by simply Google searching “retrieving deleted information,” you will find numerous sites containing step-by-step instructions on how to do just that.

So, what can one do to make sure they are protecting themselves from all sides?

Steps to Take

Firstly, make sure you are familiar with your state’s regulations on the retention of medical records. The HIPAA Security Rule states that clinicians must keep any documents containing PHI for six years from the creation date or last known use date, whichever is later Again, double check with your specific state as the laws from state to state are different

Make sure you perfect your encryption protocols. Encryption is your first layer of defense and should not be taken lightly. Make sure files are correctly coded, and make sure to always send two emails (the encrypted file and the decoder key). Deletion is the next layer of defense, but is still extremely important and should always be performed to the highest level of completion. To completely and appropriately destroy data files, disks must either be magnetically wiped or completely reformatted and rewritten (minimum of three times through). Companies, such as Dell, offer destruction services, but you must always make sure they are HIPAA compliant before taking any action.

Overall, HIPAA violations can be avoided with a little training, education, attention and discipline. There are plenty of ways to protect your electronic information, but by following the procedures mentioned in this article, you will undoubtedly be on the right path to being HIPAA compliant.


Retention Laws Infographic

Ransomware protection starts with backups

Tuesday, March 08, 2016

By Shannon Carpenter

It will start off like any other day. Drop the kids off, run through a drive-thru for coffee, turn your computer on and try to access your server. A small message box will pop-up saying something techy like “unable to access the server at this time”. If you are lucky enough to be a normal worker, you buzz your ‘IT’ person to let them know, and take care of the problem. If you are unlucky enough to be someone like me, the ‘IT’ person, you walk back to where the server is and stare in abject horror. For there, on the screen reads a message unlike to have ever seen. Your server has been infected with Ransomware and your files are being held for ransom money.

If you are like me, you have taken a few requisite computer classes in college. How you became the “IT” person of the small company you work for, was really nothing more than you fixed the boss’s computer one time and that was it, you were crowned as the person to call if there were technical issues. Over the years, you may have learned a thing or two about being tech savvy. First thing to check, power supply. Second, are all the cords connected? You see where I’m going with this, right?

So now is the day that someone tells you that the server isn’t working. You wander on back there with your fool-proof trick in your pocket. Reboot! It fixes everything, right? Not this time my friend. This time, there is a message for you. Your server has been taken over by cyber hackers, and your data is being held ransom. I won’t elaborate on the thoughts that ran though my head, I’m sure you can all guess. This is the point in the story that my type A personality really saved the day. BACKUP!!! That’s right, they may have taken our server, but I still had the backup that would run every night. No ransom was paid and life went on.

Ransomware defined

This term “ransomware” means any type of software or malware that infects a computer and encrypts files without authorization. The files stay encrypted until the owner pays a ransom. Over the past month, multiple hospitals around the world have had their servers, electronic health records or email systems breached and held for millions of new electronic money called, Bitcoin. Whether or not you business serves millions of client’s every year, or just a few hundred local townies, internet security must be made a company priority. It can be as simple as an un-witting employee clicking on an attachment or downloading a funny video to let in these cyber terrorists.

The repercussions of these attacks will be felt for years to come. Patients may begin to withhold vital information for fear of whose hands their electronic records will end up in. Liability insurance rates will increase as well as additional “ransomware” riders will be added. Any personal use of company computers will need to be restricted for fear of the unknown Trojan horse.

You can take precautions

Across the world hospitals, corporations, school districts and police departments are under cyber-attack. They have dozens of trained men and women at their disposal to try to prevent these scenarios and then manage them when they do inevitably arrive. No system is impenetrable. Here are my few words of wisdom for the more modest companies with only a handful of employees.

  1. Keep all antivirus protections and operating software up-to-date. Really, every day have all computers in your office run a check for updates. This includes your antivirus, your operating system and the software you use everyday.
  2. Backup! Preferably back up to a HIPAA-compliant offsite server in case of a fire or theft. As stated above, I backup every night. These backups are rotated in and out, with one being taken home with me and put into my fireproof safe. Ok, not really, but that is what I should have been doing! My actual backup was literally sitting right next to our corrupted server.
  3. Hire someone who actually knows something about computers. They don’t have to be on fulltime staff, maybe they come by once a month. Put in place a Business Associates agreement to make everything nice and HIPPA compliant.

If the worst were to happen, your system is attacked, these steps will help in in more ways that you can imagine. The backup may be enough to keep you from paying the ransom. That tech savvy person you have on staff now will be able to help you restore the backup and off you go. The updated malware may help keep all computers and files from being infected.

These steps will also show the powers that be that you made a best effort at keeping any and all PHI located on your computers, protected. Having a Business Associates agreement with anyone who has access to PHI is also vital in showing that you and your business take security seriously. (These are also required in many states depending on your license’s and certifications.) Depending upon your state, severe fines can be levied if certain security steps are not taken before and after a breach.

We live in a world that is run by technology. It is a fact that we must accept and respect. If you or someone on your staff is not truly capable of protecting your systems, hire someone who is.

Not me, but maybe my 8 year old.

Should Ransomware Attacks Be Considered Breaches?

Why Hospitals Are the Perfect Targets for Ransomware

SCG Health blog by Email

Recent Posts



SCG Health is a tradename of the Searfoss Consulting Group, LLC. You may reproduce materials available on this site for your own personal use and for noncommercial distribution. For more information, please read the Content Sharing Policy. Art & design by SCG Health. DISCLAIMER: You should consult an attorney for individual advice regarding a particular set of facts and circumstances. SCG Health reserves the right to change the information on this website without notice.