Free Hospital EMR and EHR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to Hospital EMR and EHR for FREE!

To-Do List for Making Your Mobile Devices HIPAA Compliant

Posted on March 3, 2014 I Written By

The following is a guest blog post by Joe Grettenberger, HIPAA Security Analyst with HIPAA One.
Joe Grettenberger
Mobile device use in the workplace is becoming more commonplace today, and this is true with many healthcare professionals. Staff members can now more easily communicate through text message or iChat and quickly look up and share a patient’s health information or status through mobile devices.

But it’s also true that the increased use of mobile devices leads to an increased chance of healthcare providers being at risk of protected health information being seen or stolen by unauthorized people, which in turn means an increased chance of dealing with HIPAA compliance issues.

Follow these steps below to ensure your healthcare business and its mobile devices are HIPAA compliant.

  1. Perform a mobile device environment inventory (including all applications, ICT services & security services expected) and risk assessment that includes system threat models per SP 800-124 R1.
  2. Create an “approved mobile device” policy for the company that specifies what approved mobile devices are.
  3. Configure applications and systems that make up the mobile device environment (client & server side) and the mobile devices themselves per the policy (e.g. disable USB ports on laptops & desktops that connect to company network, lock mobile device SIM cards, etc.  See more suggestions below.)
  4. Carefully evaluate current solutions and add mobile device management and mobile device protection software that make sense.
  5. Run a pilot, test it and roll out when the risks are acceptable.
  6. Educate/train users on their portion (their responsibilities) of mobile device security.
  7. Monitor the policy.
  8. Enforce the policy with appropriate sanctions for mobile device security incidents.

Additional suggestions to step 3 are:

Use and activate a phone passcode or some other type of user authentication. All mobile devices allow for a password, PIN, or passcode to be set up before a user can access that device. Typing that information in provides user authentication for that device. Make sure your password, PIN, or passcode is strong so it’s hard for someone to guess it. It’s also wise to keep it a secret and not store it in your mobile device. You can also set up a screen lock so your device locks and requires inputting your user authentication again after a short amount of time of not being used. Doing these things prevents unauthorized access to your mobile device.

Set a required login for apps and research each app before downloading. Some apps save your information after you’ve logged in once, which is convenient because you don’t have to input that information every time you open it. But that also makes it easier for someone who gains access to your phone to gain access to protected health information. Any app you use that stores or delivers this private data should have its settings set to require a login each time you try and open the app. Be sure to also research apps before you download and install them on your mobile device. Verify that each app only performs functions you agree to so you don’t put yourself or your healthcare company at risk.

Install and authorize encryption. Encryption converts your data into a form that can’t be read without a password or the decryption key. You can encrypt data that’s stored on and sent by your mobile device. If your mobile device has an encryption capability, then enable it. If it doesn’t, then download an encryption app. To protect data sent to your device, use a secure browser connection or a virtual private network. When you encrypt data on your mobile device, you prevent unauthorized access to that data.

Install and activate remote wiping or disabling. Remote wiping lets you erase data on your mobile device remotely if for any reason it gets lost or stolen. Remote disabling lets you remotely lock your device or erase the data stores on that device. If and when you recover your device, you have the ability to unlock it with remote disabling. Using one or both of these security tools is quite valuable. No one plans on losing or having their mobile device stolen, but sometimes it happens, and with these security tools you’re able to safeguard any protected data on your device.

Install and enable a personal firewall and security software. A firewall protects your mobile device against unauthorized connections. It intercepts any incoming or outgoing connection attempt and then blocks or permits each attempt based on certain guidelines. Security software protects your device against any malicious software, such as viruses and malware. Make sure to keep your software up to date though. You can enable a personal firewall and security software if your mobile device has them, or you can download and install both if needed. These protect the private health information on your phone and help keep certain information from being accessed by the wrong person.

Keep physical control of your mobile device. Because mobile devices are smaller in size and easily portable, they’re also easily lost or stolen. To keep your device and the confidential information on it secure, always try and keep it with you, don’t let others use it, and keep it safely put away when you’re not using it. All these things help with the prevention of unauthorized user access to your mobile device and the data on it.

Mobile device use with healthcare professionals is only going to continue rising, so it’s extremely important to take all the necessary measures to safeguard your patients’ health information with all mobile phones, tablets and laptops. Following this to-do list will make sure your mobile device is HIPAA compliant, and it will keep you, your mobile device, your healthcare company, and all your patients’ health information protected.

Also see OWASP’s Top 10 Mobile Controls and Design Principles:

https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Controls

Extra:  The following recommendations are adapted from the 2012 CIS Google Android 4 Benchmark:

  1. Update ‘firmware’ to latest version
  2. Enable ‘password’
  3. Enable ‘Require alphanumeric value’
  4. Set ‘timeout…’ for ‘Sleep’ after 5 seconds
  5. Remove Entries in ‘Wi-Fi’
  6. Disable ‘Network Notification’
  7. Disable ‘Wi-Fi’ where unnecessary
  8. Disable ‘Bluetooth’ where unnecessary
  9. Disable ‘Location Services’ where unnecessary
  10. Enable ‘Airplane Mode’ where signal reception is unnecessary
  11. Erase all data before return, recycle, reassignment, or other disposition
  12. Disable ‘Notifications’
  13. Enable ‘Lock SIM card’
  14. Disable ‘make passwords visible’
  15. Enable ‘Encrypt phone ‘
  16. Disable ‘developer options’
  17. Disable ‘Unknown sources’
  18. Limit the ‘number of messages’ for ‘Text message limit’
  19. Limit the ‘number of messages’ for ‘Multimedia message limit’

About The Author         
Joe Grettenberger is a HIPAA Security Analyst with HIPAA One. Joe has over 25 years experience as an IT Assurance professional, with 8 years of technology auditing experience both in the public and private sectors. Joe is a certified information systems auditor (CISA) and compliance & ethics professional (CCEP). For more information about HIPAA One, please visit their website.

Hospital Aren’t Supporting Nursing Smartphones

Posted on December 11, 2012 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

Here’s one more example of where Bring Your Own Device is causing security problems for hospitals. A new report by Spyglass Consulting Group suggests that while most nurse use personal smartphones on the job, few hospital IT departments support these devices.

According to Spyglass, 69 percent of hospitals said that their nurses use personal mobile devices, often to fill in gaps left by the technology the hospital provides for communication. This is no surprise. While there’s an armada of personal nursing devices which allow nurses to communicate with other staffers, smartphones do a better job, as they’re light, boast an easy to use interface and unlike VoWiFi devices, unaffected by local network ups and downs.

It’s worth noting that 25 percent of care providers interviewed by Spyglass weren’t happy with the quality and reliability of the wireless network within their facilities.  That’s further evidence that VoIP devices commonly used for nursing communication aren’t riding on a solid base.

So, nurses are driven to use the smartphones they bring in from home.  Those phones become the basis for mission-critical communications around day-to-day care. But at the risk of repeating myself — OK, I’ve already repeated myself often on this subject — these unsupported, vulnerable devices can be hacked or stolen quite easily. If a phone is left in a public area, not only are nurses deprived of a critical communications channel, the e-mail or texts or voicemails they’ve sent regarding patient care has just walked off as well, offering bunch of private data in the clear. Plus, there are free solutions to this communications, privacy and security problem like docBeat that are much much more functional than what’s on the nurses’ personal devices anyway.

According to the Spyglass researchers, who conducted 100+ interviews with nurses working in acute care, hospital IT personnel are concerned about the increasing dependence of clinicians on personal mobile devices.  But I note that at least in the report summary written up by Healthcare IT News, you don’t hear about a stampede of hospital IT departments rushing to establish support policies and deploy enterprise-class mobile management tools. I must say, I’m not sure what they’re waiting for.