It is not uncommon these days to see physicians showing off their iPhone/iPads or Android phones/Tablets and demonstrating how they can access their patients’ health records from anywhere. Well, just demonstrating in itself is a violation of Privacy laws under the HIPAA/HITECH Acts, there is also a much larger security concern attached to the use of mobile devices. HIPAA Privacy section deals with three core factors of patients Protected Health Information (PHI) privacy, and these include Confidentiality, Integrity and Availability. HIPAA Security section deals with the Technical, Administrative and Operation safeguards for PHI. Another term becoming more and more popular recently is Bring Your Own Device or BYOD, and it refers to using a mobile device personally owned by you and using it for work. There certainly are considerations to be aware of for both company maintained/issued and personally owned devices us for remote access to PHI.
Best Practices for Using Mobile Devices to Access PHI:
- Authentication: Make sure to use a password or other authentication process to identify the user of the device. This is achieved by enabling the lock screen for your mobile devices and establishing a strong password, PIN or passcode. These must be masked to prevent people around you from seeing it. Also activate screen locking after a set period of inactivity.
- Install / Enable Encryption: Encryption helps secure local storage and safe transmission/reception of PHI. The mobile device may have built-in capability of encryption, or you may have to procure a 3rd party tool for this purpose.
- Remote Wiping and Locking/disabling: Remote Wiping allows you to erase data from your mobile devices remotely on a lost or stolen device. Remote locking.disabling is more useful when a device is misplaced and not stolen. By remotely locking the device you can unlock it once it is found, as opposed to remote wiping where nothing can be retrieved even if you are to find your device.
- Disable File Sharing: Most of the mobile device come with a built-in capability of sharing stored data within a local network or over the internet. You can also find application that can be installed for sharing files. The mobile device file sharing capability should be disabled and not file sharing applications should be installed on them.
- Enable Firewall: Firewalls protect against unauthorized connections to your mobile device, they intercept incoming and outgoing connections and block or permit them based on preset rules.
- Security / Anti-virus / Anti-Malware software: These security software protect against malicious applications/programs, viruses, spyware and malware. Make sure your security software is up to date with latest virus/malware definitions installed.
- Research new Apps before installing: Before installing a new app or software, make sure you are aware of the permission it has for access to data and functionality of your device. For research use reputable websites and sources.
- Maintain Physical Control: Mobile devices have the benefit of being portable, smaller in size which are also their biggest disadvantages when it comes to security. They are easily misplaced or stolen and that might lead to unauthorized access to PHI. You must maintain physical security of your device at all times to prevent it getting into an unauthorized person’s possession.
- Using Public Wi-Fi Networks: Public wireless connection pose a huge vulnerability of data interception and access by unauthorized persons. You must only use secure, encrypted connections, and only use public networks if you have the ability and knowledge to secure your communication by using VPN and or encryption technologies.
Tips to protect and secure PHI on Mobile Devices:
- Install and enable encryption to protect health information stored or sent by mobile devices.
- Use a password or other user authentication.
- Install and activate wiping and/or remote disabling to erase the data on your mobile device if it is lost or stolen.
- Disable and do not install or use filesharing applications.
- Install and enable a firewall to block unauthorized access.
- Install and enable security software to protect against malicious applications, viruses, spyware, and malware-based attacks.
- Keep your security software up to date.
- Research mobile applications (apps) before downloading.
- Maintain physical control of your mobile device. Know where it is at all times to limit the risk of unauthorized use.
- Use adequate security to send or receive health information over public Wi-Fi networks.
- Delete all stored health information on your mobile device before discarding it.