The following is a guest blog post by Joe Grettenberger, HIPAA Security Analyst with HIPAA One.
Mobile device use in the workplace is becoming more commonplace today, and this is true with many healthcare professionals. Staff members can now more easily communicate through text message or iChat and quickly look up and share a patient’s health information or status through mobile devices.
But it’s also true that the increased use of mobile devices leads to an increased chance of healthcare providers being at risk of protected health information being seen or stolen by unauthorized people, which in turn means an increased chance of dealing with HIPAA compliance issues.
Follow these steps below to ensure your healthcare business and its mobile devices are HIPAA compliant.
- Perform a mobile device environment inventory (including all applications, ICT services & security services expected) and risk assessment that includes system threat models per SP 800-124 R1.
- Create an “approved mobile device” policy for the company that specifies what approved mobile devices are.
- Configure applications and systems that make up the mobile device environment (client & server side) and the mobile devices themselves per the policy (e.g. disable USB ports on laptops & desktops that connect to company network, lock mobile device SIM cards, etc. See more suggestions below.)
- Carefully evaluate current solutions and add mobile device management and mobile device protection software that make sense.
- Run a pilot, test it and roll out when the risks are acceptable.
- Educate/train users on their portion (their responsibilities) of mobile device security.
- Monitor the policy.
- Enforce the policy with appropriate sanctions for mobile device security incidents.
Additional suggestions to step 3 are:
Use and activate a phone passcode or some other type of user authentication. All mobile devices allow for a password, PIN, or passcode to be set up before a user can access that device. Typing that information in provides user authentication for that device. Make sure your password, PIN, or passcode is strong so it’s hard for someone to guess it. It’s also wise to keep it a secret and not store it in your mobile device. You can also set up a screen lock so your device locks and requires inputting your user authentication again after a short amount of time of not being used. Doing these things prevents unauthorized access to your mobile device.
Set a required login for apps and research each app before downloading. Some apps save your information after you’ve logged in once, which is convenient because you don’t have to input that information every time you open it. But that also makes it easier for someone who gains access to your phone to gain access to protected health information. Any app you use that stores or delivers this private data should have its settings set to require a login each time you try and open the app. Be sure to also research apps before you download and install them on your mobile device. Verify that each app only performs functions you agree to so you don’t put yourself or your healthcare company at risk.
Install and authorize encryption. Encryption converts your data into a form that can’t be read without a password or the decryption key. You can encrypt data that’s stored on and sent by your mobile device. If your mobile device has an encryption capability, then enable it. If it doesn’t, then download an encryption app. To protect data sent to your device, use a secure browser connection or a virtual private network. When you encrypt data on your mobile device, you prevent unauthorized access to that data.
Install and activate remote wiping or disabling. Remote wiping lets you erase data on your mobile device remotely if for any reason it gets lost or stolen. Remote disabling lets you remotely lock your device or erase the data stores on that device. If and when you recover your device, you have the ability to unlock it with remote disabling. Using one or both of these security tools is quite valuable. No one plans on losing or having their mobile device stolen, but sometimes it happens, and with these security tools you’re able to safeguard any protected data on your device.
Install and enable a personal firewall and security software. A firewall protects your mobile device against unauthorized connections. It intercepts any incoming or outgoing connection attempt and then blocks or permits each attempt based on certain guidelines. Security software protects your device against any malicious software, such as viruses and malware. Make sure to keep your software up to date though. You can enable a personal firewall and security software if your mobile device has them, or you can download and install both if needed. These protect the private health information on your phone and help keep certain information from being accessed by the wrong person.
Keep physical control of your mobile device. Because mobile devices are smaller in size and easily portable, they’re also easily lost or stolen. To keep your device and the confidential information on it secure, always try and keep it with you, don’t let others use it, and keep it safely put away when you’re not using it. All these things help with the prevention of unauthorized user access to your mobile device and the data on it.
Mobile device use with healthcare professionals is only going to continue rising, so it’s extremely important to take all the necessary measures to safeguard your patients’ health information with all mobile phones, tablets and laptops. Following this to-do list will make sure your mobile device is HIPAA compliant, and it will keep you, your mobile device, your healthcare company, and all your patients’ health information protected.
Also see OWASP’s Top 10 Mobile Controls and Design Principles:
Extra: The following recommendations are adapted from the 2012 CIS Google Android 4 Benchmark:
- Update ‘firmware’ to latest version
- Enable ‘password’
- Enable ‘Require alphanumeric value’
- Set ‘timeout…’ for ‘Sleep’ after 5 seconds
- Remove Entries in ‘Wi-Fi’
- Disable ‘Network Notification’
- Disable ‘Wi-Fi’ where unnecessary
- Disable ‘Bluetooth’ where unnecessary
- Disable ‘Location Services’ where unnecessary
- Enable ‘Airplane Mode’ where signal reception is unnecessary
- Erase all data before return, recycle, reassignment, or other disposition
- Disable ‘Notifications’
- Enable ‘Lock SIM card’
- Disable ‘make passwords visible’
- Enable ‘Encrypt phone ‘
- Disable ‘developer options’
- Disable ‘Unknown sources’
- Limit the ‘number of messages’ for ‘Text message limit’
- Limit the ‘number of messages’ for ‘Multimedia message limit’
About The Author
Joe Grettenberger is a HIPAA Security Analyst with HIPAA One. Joe has over 25 years experience as an IT Assurance professional, with 8 years of technology auditing experience both in the public and private sectors. Joe is a certified information systems auditor (CISA) and compliance & ethics professional (CCEP). For more information about HIPAA One, please visit their website.