By Marla Durben Hirsch, contributing writer
Tread carefully if you store, send, receive or transmit electronic patient protected health information (ePHI) via a laptop, iPhone or other portable electronic device. The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued a new alert about the vulnerability of such information.
The alert, released in a newsletter October 31, notes that while mobile devices are convenient and easy to use, the ePHI is particularly difficult to keep secure. The devices are usually on default settings, enabling them to connect to unsecure Wi-Fi, Bluetooth, cloud storage or file sharing network services, where others can access the data. It is common for users to inadvertently download malware or viruses, which can hack into or corrupt the data on the device. And the devices themselves are frequently lost or stolen.
For example, more than 27% of the breaches of 500 or more patient records archived on HHS’ HIPAA breach “wall of shame” were due to the loss or theft of a laptop or other portable device. That figure doesn’t even include potentially related breaches, such as emails containing ePHI sent from a mobile device to the wrong recipient or that were intercepted.
“As mobile devices are increasingly and consistently used by covered entities and business associate[s] and their workforce members to store or access ePHI, it is important that the security of mobile devices is reviewed regularly, and modified when necessary, to ensure ePHI remains protected,” OCR says in the alert.
OCR recommends that entities:
- Include mobile devices when conducting their HIPAA-required security risk analyses to identify vulnerabilities that could compromise patient data and take action to reduce any vulnerabilities or risks found.
- Implement policies and procedures regarding the use of mobile devices in the work place, especially when used to create, receive, maintain, or transmit ePHI.
- Consider using Mobile Device Management (MDM) software to manage and secure mobile devices.
- Install or enable automatic lock/logoff functionality.
- Require authentication to use or unlock mobile devices.
- Regularly install security patches and updates.
- Install or enable encryption, anti-virus/anti-malware software, and remote wipe capabilities.
- Use a privacy screen to prevent people close by from reading information on your screen.
- Use only secure Wi-Fi connections.
- Use a secure Virtual Private Network (VPN).
- Reduce risks posed by third-party apps by prohibiting the downloading of third-party apps, using whitelisting to allow installation of only approved apps, securely separating ePHI from apps, and verifying that apps only have the minimum necessary permissions required.
- Securely delete all ePHI stored on a mobile device before discarding or reusing the mobile device.
- Train staff on how to securely use mobile devices.
Don’t expect leniency on this one
OCR’s concern about protecting patient data on portable devices is not new. The agency has previously published resources on this topic, including videos, checklists and FAQs. But the fact that OCR felt a need to repeat itself indicates that it believes that entities are not “getting the memo” and are not taking proper precautions.
It also shows that this is a front burner issue for the agency, and that entities which fail to comply despite the plethora of repeated guidance are more likely to face harsher punishment.
Takeaway: Entities that suffer a breach of ePHI related to a mobile device are not going to be able to defend themselves on the ground that there was no guidance to help them protect the data. Now’s a good time to assess your office’s use of portable devices and reduce the risk that patient information will be exposed.