The specter of HIPAA is at the back of every health care provider’s mind, every day, in every interaction. Providers must constantly question if the information they are sharing, and how they are sharing it, falls within the law’s privacy guidelines. If they aren’t following the rules, they know, they could face significant fines and other consequences.
Yet for many providers, the same care and consideration that they give to conversations, emails, and other interactions doesn’t always extend to their mobile device use. Often, it’s assumptions about the security of their devices, as in, they believe that they are more secure than they really are, that leads to potential HIPAA violations, not to mention, creating the risk of a data breach. For that reason, it’s important that health care providers, and facilities, make mobile device security a bigger priority, in order to protect patient information and confidentiality.
High Numbers, High Complexity
According to the most recent studies, about three-quarters of all providers use their smartphones as part of their practice. A little more than half use tablets in their duties caring for patients. Providers are using their devices for everything from communicating with patients via email or text message to viewing test results or medical images to make a diagnosis. And it’s not just providers who are taking health care mobile: Patients are using their devices to make and confirm appointments via text, and using apps to access their medical records and patient accounts.
The sheer number of devices being used within the health care realm increases the complexity of mobile security needs. Simply put, there are so many places where things can go wrong, that it’s challenging even the most technologically advanced organization to implement the proper controls and safety protocols to protect patient data and adhere to federal privacy and security guidelines.
To help, the Office of the National Coordinator for Health Information Technology created a five-step process for mobile device management, which includes deciding which mobile devices are acceptable to use on your network and will be granted access, assessing the risk that mobile technology presents to the organization, identifying a risk management strategy, developing and documenting a mobile deice management plan, and training staff and provider in mobile device security.
Best Practices for Mobile Device Security in Healthcare
However, despite the government’s step-by-step plan, many users struggle to actually identify and implement the actual steps that need to be taken to protect patient data. To that end, there are a few best practices to consider.
1. Implement user authentication controls. One of the biggest dangers to any device, in and outside of health care, is inadequate security controls. Locking the device with a passcode and using biometrics can go a long way to keeping the device data safe from prying eyes. Providers should use any and all device locking mechanisms to secure devices used for work.
2. Implement remote and automatic lock and wipe capabilities for use when a device is lost or stolen, or after an excessive number of incorrect login attempts.
3. Install security programs. With hackers and viruses now targeting mobile devices with the same intensity as desktop computers, it’s important for health care professionals to install Internet security software onto their mobile devices as well, to prevent harmful apps and malware from infiltrating the health care networks and compromising protected data.
3. Employ encryption. Whether on a device or an app-by-app basis, data that is stored or transmitted via the device should be encrypted. Email and attachments should also be secured and encrypted to ensure that unauthorized individuals do not see it — even by accident.
4. Develop an application policy. In BYOD environment’s controlling the applications installed on personal devices is a touchy subject, but it is vital for health care users to understand the potential risks associated with harmful applications. At the very least, providers must be educated on how to evaluate apps, or seek approval for the installation of unapproved apps on devices used for work. At the very least, file-sharing applications should be banned, and providers prohibited from using unapproved and unsecured filing-sharing services to share patient data.
5. Encourage regular updates. Updating operating systems regularly is an important part of any security strategy. Hackers target vulnerabilities in operating systems, and installing updates helps close those holes and protect data. Develop a policy of notifying providers of important updates and enforce update requirements.
In many ways, protecting patient information on mobile devices comes down to the same common sense principles that one would use to protect his or her own personal data. By treating mobile security with the same care and attention as they would any other form of communication, providers can avoid creating HIPAA violations and costly data breaches.
Kristen Hamlin is an adjunct instructor at Central Maine Community College and her work has appeared in Lewiston Auburn Magazine, Young Money, USA Today and a variety of online outlets.