Healthcare providers and healthcare-related businesses are subject to all the same pressures to adopt new technologies for information management that any modern business is, including portable devices such as smart phones and tablets. Using modern technologies can help improve patient care and the overall patient experience, while cutting costs and improving efficiencies of operation.
But healthcare-related businesses that manage personal information also have obligations to protect individually identifiable information about individuals’ health, health care, health care services, and payment for such services, known as “PHI,” or Protected Health Information, under the Health Insurance Portability and Accountability Act of 1996, better known as HIPAA. HIPAA enforcement is on the increase, and mobile devices have shown themselves to be a prime source of breaches, according to information published on the US Department of Health and Human Services Web site identifying large breaches affecting more than 500 individuals, known informally as the “HIPAA Wall of Shame.” Under the HIPAA Security Rule, entities have an obligation to consider the security of data in motion and at rest and take the necessary steps to protect it from improper uses or disclosures. When PHI is sent to a portable device as a text message, as an e-mail, or using some other communication method, such as a browser or an app, there are two considerations.
First, is the communication secure? Do we know who are the parties that are communicating, and is the method of communication protected from interception or alteration? Proper authentication and authorization of both the device and the user must be in place, including requirements that the user of the portable device be identifiable and auditable. Any actual transmission of information containing any PHI must be secured by encryption to manage the risks of exposure or alteration. The only reasonable exception would be communication with an individual (a patient, not a staff member or business partner) who has exerted their rights under HIPAA and has specifically requested unencrypted communications, has had the risks of doing so explained to them, and has accepted those risks.
Second, once the information is on the device, is it protected from improper disclosures? Typically, for mobile devices, this means, fi rst of all, not maintaining the data on the device if possible, and if it does remain, encrypting or deleting the information so that if the device is lost the data cannot be accessed. Providing secure access controls requiring user authentication is necessary to protect access.
The result of the transfer of PHI to and maintenance of PHI on mobile devices is that the devices must be managed such that if they are lost or stolen, or simply apt to be in the hands of an inquisitive family member or friend, the PHI is protected. Most mobile devices, straight out of the box, are not secured and may provide easy remote access to systems as well as access to PHI held on the device. If the mobile device has login instructions and passwords saved in plain text documents, or easily accessed messages and stored documents holding PHI, and it is not protected, it can become the source of a significant breach of security that must be reported and can have significant repercussions for the organization.
But when properly configured, most modern mobile devices can be very secure and can provide very good protection of PHI. Once-exotic technologies such as fingerprint recognition to authenticate users and remote disabling of devices or removal of content to protect data once a device is lost are now commonplace. The problem is that the devices must be configured properly to enable the proper security, and the configuration must be protected from alteration by savvy users.
Mobile Device Management tools can provide the ability to manage modern portable devices more securely, requiring encryption and passwords and enforcing electronic protected health information security policies for both senders and receivers. Patient information can be protected by encryption as it traverses the Internet or a mobile network, and can be additionally protected through an autodestruct feature that deletes the PHI when a time limit is reached.
Security for mobile devices provided by MDM tools may include mobile app scanning and device security features to actively protect against malware, unauthorized data access and phishing while enforcing security policies. Mobile application management allows the organization’s approved apps to be cataloged, pushed and deleted, so that only approved tools can be used for handling of PHI. Using secure VPN communications as part of a mobile device management solution isolates users from network attacks like man-in-the-middle, redirects, poisoned Domain Name System (DNS), phishing and wireless eavesdropping. And, finally, should the device be lost or stolen, remote data-wiping and auto-disabling must be tightly managed. But be sure to inform your users that they are responsible for backing up their personal information, and if the device is lost or stolen, or if their password is forgotten and an auto-wipe is triggered, they may lose their cherished photographs. A modern mobile device management tool can allow administrators, remotely, to set and enforce risk-based policies, control mobile security via centralized controls and dashboards, and run risk analytics and compliance reports, so that compliance can be verified.
Whether an organization provides mobile devices to their staff or allows them to use their own device at work, the communications and apps used, and the mobile device management tools used to manage them, must help enable good compliance by enabling centralized, auditable controls that can ensure protection from issues relating to the confidentiality, integrity, and availability of PHI.