In my June 30th post entitled The High Cost of HIPAA Violations, I referred to the recent IT security breach by Concentra Health Services in which they agreed to pay
$1,725,220 in fines after a single unencrypted laptop was stolen from one of its facilities. Far from being an isolated incident, healthcare companies are struggling to align HIPAA compliance regulations with IT security policies for mobile devices. If you allow mobile devices on your organization’s network, or have a BYOD (Bring Your Own Device) policy in place, our best practices for securing mobile devices can save you some headaches – and possibly some stiff fines – in the future.
1) Require the use of a password or device key
In our May 27th blog, 4 Ways to Protect Your Company from a Data Breach, we recommended that every employee and contractor who uses a company-issued laptop also get an RSA key fob. This mechanism generates a one-time Password Identification System (PIN) that is used with a dedicated password to log in. Even if a hacker steals a laptop, they have to know the employee’s/contractor’s password AND unique code from the RSA device.
TIP: Mandate that an employee’s RSA key fob be kept separate from their laptop.
Mobile devices such as tablets and smart phones should also be configured to require passwords, pass codes or PINs to access it. These fields can be masked to prevent other people from seeing it. Mobile devices should also be set up to activate screen locking after a set period of activity.
TIP: Require that all mobile device users change their passwords, passcodes and PINs every quarter.
2) Install or enable encryption
Forty-six percent of data breaches stem from physical theft or loss of unencrypted devices – with healthcare being the biggest offender. The surge in HIPAA compliance violations stemming from lack of IT security measures prompted Sue McAndrew, OCR’s deputy director of health information privacy, to publicly encourage companies to encrypt their data. Mobile devices can contain built-in encryption capabilities, or you can buy and install encryption tools. If a device is lost or stolen, encryption makes it difficult to read the data on the device.
TIP: Set up encryption on any device backups. Some devices have this built into the hardware, but need to be enabled.
3) Install and activate remote wiping and/or remote disabling
Installing a remote device wipe allows you to remove all date from a mobile device in the event it’s lost or stolen.
TIP: Some mobile device management software allows you to selectively wipe data. So your employee can keep his iTunes library on his personal laptop, even after you wipe all the corporate data from it.
4) Disable and disallow any file sharing applications
Be wary of allowing any file sharing applications such as Dropbox. These applications allow you to copy information directly to a cloud service provider, putting electronic protected health information (ePHI) at risk.
TIP: Disable all file sharing applications or use a mobile device management software that separates ePHI and prevents it from being duplicated.
5) Keep your IT security software up to date
Regularly updating your security software and software operations, provides you with the latest tools to prevent unauthorized access to health information on your organization’s mobile devices.
TIP: Store your software licensing info in a single, central location. Review it quarterly and update as necessary.
6) Use Wi-Fi cautiously
Exercise caution when using public Wi-Fi networks to send or receive health information. Using the public Wi-Fi at your local coffee shop opens yourself to having your information intercepted by hackers.
TIP: Use a Virtual Private Network whenever you’re connected to a public Wi-Fi network. The VPN connections are encrypted which helps ensure that data is unreadable when intercepted on a private network.
To learn more about how to align healthcare operations in the cloud with HIPAA compliance regulations, register here for our latest webinar – HIPAA Compliance: Simple Steps to the Healthcare Cloud – on Thursday, July 17th at 3 p.m. EDT.