Andrew Shearer, CTO at Care Thread shares the do’s and don’ts of HIPAA compliance for BYOD and mobile device programs .
Clinicians use 6.4 different mobile devices in a day on average according to IDC Healthcare Insights Study. Mobile health devices and BYOD policies provide healthcare professionals with the ability to facilitate smoother workflows, promote team collaboration and help boost productivity. However, with these benefits bring risks of security breaches. PwC Health Research Institute clearly identified that the need for mobile security one of the top ten issues hospitals will face in 2013. The report also found that 69% of the consumers surveyed said they were concerned about the privacy of their medical information if providers accessed it through their mobile devices.
But take note: According to a survey from Aruba Networks, 85% of respondents said their organization has a BYOD policy, but the organizations varied in the types of data they allowed personal mobile devices to access. The survey found that:
- 53% of respondents said their organization only allows personal mobile devices to access the Internet;
- 24% said their organization provides personal mobile devices with limited access to hospital applications; and
- 8% said their organization provides personal mobile devices with full access to the hospital network
So how can we balance the needs of providers communicating with colleagues and the need to protect personal health information (PHI)? In order to avoid the pitfalls of BYOD and realize the advantages, providers must adhere to the HIPAA and HITECH guidelines for sending PHI.
“There are a few regulatory changes to HIPAA that have an impact on mobile device programs,” said Andrew Shearer, Co-Founder and Chief Technical Officer at Care Thread, a secure mobile communication and collaboration tool provider. “Healthcare organizations should take extra precautions when deploying enterprise and third-party apps on devices to maintain the security of PHI, whether they are supplied by the organization or owned by the provider.”
When implementing enterprise mobile communication solutions, healthcare IT professionals should take additional steps to maintain PHI integrity while avoiding the risk of data breach and steep penalties.
1. Make sure your vendor and its sub-vendors are complaint with the new HIPAA Omnibus requirements:
- In January, the OCR issued a HIPAA Omnibus Rule that will enhance a patient’s privacy protections, provide individuals new rights to their health information and strengthen the government’s ability to enforce the law. Previously, the HIPAA Privacy and Security Rules focused on healthcare providers, health plans and other entities that process health insurance claims. The changes now expand many of the requirements to business associates of these entities that receive protected health information, such as contractors and subcontractors. Penalties have increased for non-compliance based on the level of negligence with a maximum penalty of $1.5 million per violation. The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS. In addition to businesses and entities, individuals are now able to request EMR electronically and can decide not to share their information for marketing.
- Under the Omnibus Rule, not only are vendors to healthcare organizations required to hold business associate agreements (BAA), the vendors are also required to hold BAAs with its sub-vendors. The document should include an overview of how the provider meets the security and privacy provisions set out in HIPAA and the HITECH Act, as well as its responsibilities in the event of a breach. While vendors are not required to present their subcontractor’s BAAs to the healthcare organization, one best practice is to request it as part of your RFP.
2. Use two levels of security upon login to enterprise apps:
- The first stage of this can be achieved by leveraging an organizations’ Active Directory, enabling each provider to use their same hospital system login credentials. This step alone keeps initial access to apps quick and easy to remember. Providers can use their current hospital credentials to access their applications.
- The second stage to login security is to use a separate PIN for quick access to mobile apps while they are in active use. A disconnect time-out should occur after inactivity. A device should lock itself with re-entry by PIN if it’s idle for five minutes or more, although this time frame can vary from a few minutes to a few hours. According to the University of Miami’s Miller School of Medicine, shorter time limits are appropriate in higher-risk locations where the public has regular access to systems that typically access sensitive data.
3. Have the capabilities to remotely wipe a device if it is missing:
- While this is not required by HIPAA, it should be an essential administrative practice in any mobile or BYOD program. Many organizations use Mobile Device Management [MDM] platforms to manage devices that have access to sensitive data. Being able to wipe a device remotely allows a network administrator to send a command to those devices and delete data once he has been notified that the device is missing. According to TechTarget, a remote wipe can also encompass deleting data in selected folders, repeatedly overwriting stored data to prevent forensic recovery, returning the device to factory settings or removing all programming on the device, essentially turning it into a brick, meaning that it is no longer of any use to anyone.
1. Allow PHI or any info to be written to the mobile device:
- Though many consumer-oriented mobile messaging apps offer providers a high level of convenience in communication, they are generally not HIPAA-compliant. These apps store data on the device and are generally not encrypted to regulatory standards. The ideal healthcare communication app should allow access to messages and PHI only when the user is logged in. All network data sent and received by mobile clients should be encrypted with a strong algorithm such as an advanced encrypted standard or AES. Other helpful security features include message lifespan limits and message recall.
2. Permit integrations with insecure file-sharing / hosting services:
- Cloud storage and file sharing services such as Dropbox, Evernote and others are not HIPAA-compliant and should not be used to transmit PHI. HIPAA compliance mandates that organizations employ multiple security protocols, including secure administrative access, physical security and technical security in the storage of PHI and user authentication to access the data. There are a few vendors, such as CloudPrime’s QuickDrop, that do offer HIPAA-compliant cloud file sharing. When evaluating these HIPAA-compliant services, ask vendors for an in-depth review of their security protocols.
3. Set it and forget it:
- Do periodically audit mobile devices. All organizations should have an auditing schedule for devices that transmit work-related information to ensure they are in compliance with organization and regulatory requirements. According to ID Experts, it is important that healthcare providers conduct a thorough technical review/risk audit of these [mobile devices] before and while it is used. Assessments need to include how and when the device will be used and by whom.
- Do make sure all apps are up-to-date. Security risks and threats change constantly which is why updating security software and all other applications on the device should be maintained on a regular basis. The manufacturer or wireless carrier can automatically send software updates directly to mobile devices. There are procedures in place to make sure updates are transmitted promptly, including automated update options or vendor notification options. Be sure that users install security software updates as soon as they become available instead of selecting “remind me later.”
In order for clinicians to use mobile devices to enhance communications and mobile care collaboration, healthcare IT organizations need plans in place that meet the do’s and don’ts listed above in order to protect patient information and ensure regulatory compliance. Without proper BYOD safeguarding or best practices, all of this private information we work hard to achieve and covet for healthcare organizations, and most importantly the patient, could blow up and out in smoke.