Introduce a mobile data security protocol
Protecting patients’ health information and avoiding HIPAA violations in the age of smartphones and tablets.
BY DARLA SHEWMAKER
The acronym BYOD represents “Bring Your Own Device,” a recent trend in which companies encourage employees to use their personal smartphones and tablets in the workplace to reduce company costs. And they’re being used in ophthalmic practices — one study found that 87% of physicians use a smartphone or tablet in the workplace.1 Physicians use these devices in part due to the number of available healthcare apps for everything from retinal imaging to help with ICD-10 codes. And it’s not limited to just apps — many of staff members use smartphones to e-mail other staff members, physicians, or even patients.
If you use a smart device to communicate with patients, do you know whether their protected health information (PHI) is safe? The risks of breaching patient PHI are enormous, carrying fines from $100 to $50,000 per violation (including a maximum penalty of $1.5 million per year for violations of an identical provision) or even criminal charges and jail time. Therefore, you and your staff must be aware of the possibility of breaches and take security measures to stay HIPAA compliant.
Know the risks
Have you experienced that sinking feeling in your stomach when you can’t find your phone? You retrace your steps in your mind, then you think of the personal information on your phone, such as passwords. You may even recall communicating with patients regarding their personal information or that the device is connected to your patient database. Without a passcode, whoever finds the device could access all of this information without breaking a sweat.
The risks you assume with mobile devices are much greater than the risks associated with using a computer inside your office. Smart devices can be easily lost or stolen, and viruses or malware downloaded onto a device can become a threat to your entire network. Unsecure public networks can leave your device vulnerable to hacking. Even if you take the time to educate yourself and your staff on safe practices, the device could be shared with family or friends who may not be aware of these safeguards and the consequences of their actions.
Steps to mobile security
Your staff can benefit from using their own device because they have a comfort level with it. Also, having the ability to access the device out of the office can increase productivity. Weigh these and other benefits along with the risks to determine if your organization wants to allow the use of personally owned mobile devices at work.
Once the decision is made whether to allow mobile devices, your practice needs a policy for their in-office use. Without it, your practice may be giving implied consent to their use. Then, you will need to initiate appropriate security protocols and provide on-going education for everyone in the practice. HealthIT.gov provides great education resources for your staff (http://tinyurl.com/OPmobiledata2).
Among the security protocols, you must keep a log of all devices utilized in the practice, whether owned by the practice or by individual staff members This is necessary in order to track any possible breach of PHI. Also, ensure wireless connections are secure through your practice VPN. In addition, identify what information may be stored as well as accessed on the device. If staff members store practice or patient information on the device, you’ll need to make sure it is backed up from the mobile device to a secure server.
Other mobile security safeguards include:
• Using a password or other user authentication. Passwords, which should include letters (upper and lower case), numbers, and keyboard characters/punctuation marks. Fingerprint login, voice, or camera authentication can improve security as well. Also, don’t store passwords on your mobile device.
• Installing and enabling encryption. Encrypting data stored locally on your mobile device (data at rest) and data sent by your mobile device (data in motion) protects it from unauthorized users.
• Installing and enabling a firewall. Firewalls intercept incoming and outgoing connection attempts and block or permit them based on a set of rules.
• Installing and enabling security software. Security software can protect against malicious applications, viruses, spyware, and malware-based attacks.
• Researching mobile applications before downloading. Verify that the apps only perform functions you approve, and read reputable reviews.
• Maintaining physical control. Have staff members lock their devices in a secure location (such as a desk drawer) when not in use.
• Using adequate security over public Wi-Fi networks. Regardless of whether you are using a public or private Wi-Fi connection (such as at your house), you can use a virtual private network (VPN), which encrypts the information you send.
Dealing with a lost or replaced device
Just like your practice needs a fire drill procedure, you need a lost device protocol. By enabling remote wiping, you can permanently delete data stored on a lost or stolen mobile device. Every staff member should know what this is and how to use it.
You also need a notification policy when devices are replaced to ensure all PHI or sensitive data is removed. The average American replaces their smartphone about every two years, according to Recon Analytics. Do you know how to make sure all your personal data (and your patients’ data) is 100% removed? HHS OCR issued guidance regarding the proper steps to remove health information and other sensitive data stored on your mobile device before you dispose or reuse the device (http://tinyurl.com/OPmobiledata3). Remember to include your policy on mobile devices in your HIPAA security risk analysis.
Smartphones, smartwatches, and tablets are here to stay. Beware the teetotaler approach to devices in the workplace. Even if you don’t see them, your staff is using them.
For a safe and effective BYOD policy, monitor, moderate, and educate staff on these protocols. OP
For more, visit the U.S. Department of Health and Human Services’ website (http://www.hhs.gov/ocr/privacy).
Darla Shewmaker has spent 17 years on the front lines of EHR design and implementation. She recently left her position as VP of product development and is focusing on ophthalmic practice consultations, education and compliance. E-mail her at Darla@destinationsconsulting.com.