This article can also be found in the Premium Editorial Download "Health IT: Strategies to secure personal mobile devices on health care networks."
Download it now to read this article plus other related content.
One of the big trends in IT at the moment is bring your own device (BYOD). Today users expect to be able to access corporate data not just from their desktops, but also from consumer electronic
More tips for supporting mobile device usage
Mobile devices bring health interoperability challenges, opportunities
Tips for deploying mobile devices, iPads in a health care setting
The blurry distinction between mobile devices and computers
The ABCs of federal regulation for mobile devices in health care
HIPAA does not differentiate between computing devices. Any device that a user uses to access network resources is defined as a workstation, whether it is a desktop, tablet, smartphone or other device. Therefore, one of the first provisions that must be taken into account is 164.310(C) Standard Workstation Security. This requirement states that organizations must implement physical safeguards for all workstations that access electronic protected health information (ePHI) to restrict access to authorized users.
Another important requirement that must be addressed is 164.310(D)(1) Device and Media Control. This requirement states that organizations are required to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.
To paraphrase these requirements: Any computing device that is used to access electronic health records must be configured securely, and if a computing device stores EHRs then its whereabouts must be tracked.
Mobile device usage and HIPAA compliance
Obviously the previously stated requirements present some major challenges when it comes to BYOD. After all, the organization does not own an end user’s personal mobile device, and therefore has no control over its configuration. It must therefore be assumed that the device is inherently insecure.
Likewise, because the device is owned by the end user and is designed for mobility, it is unlikely that the organization will be able to continuously track the device’s whereabouts in accordance with HIPAA.
HIPAA imposes some strict requirements for workstations, and it might at first seem as though these requirements would prevent the use of mobile devices. With careful planning however, it is possible to allow users to access data from their mobile devices while still maintaining HIPAA compliance.
At first glance, it seems as if the biggest barrier to mobile device usage is the requirement to track the whereabouts of such devices. However, the requirement clearly states that tracking is only necessary if the device contains electronic protected health information. In other words, you can get around the requirement for device tracking by not storing any electronic protected health information directly on mobile devices (which you really shouldn’t be doing anyway).
Any computing device that is used to access electronic health records must be configured securely, and if a computing device stores EHRs then its whereabouts must be tracked.
One of the easiest ways to accomplish this is to treat mobile devices as remote desktop clients. Rather than installing any software or storing any data directly on the mobile device, the mobile device instead establishes a remote desktop protocol (RDP) session with a computer on your network. That way, all of the electronic protected health information remains on a system which has been adequately secured and proven to be HIPAA compliant.
This technique works particularly well if your organization uses virtual desktop infrastructure (VDI). In a VDI environment, users can access their regular desktops directly through mobile devices.
The other major requirement that must be addressed is device security. HIPAA requires various safeguards for any device that accesses electronic patient data, including disposal, backup, encryption and other policies. Because the mobile devices belong to the end users, you cannot assume anything about the device's overall security.
There are two main things that can be done to address HIPAA security requirements. First, make sure that users who are connecting mobile devices to your systems are not using single sign-on technology. In the interest of security, users should be required to manually enter their full credential set each time that they connect to the organization's computers.
Another thing that you should do is take measures to encrypt the user's session. There are several ways in which this can be accomplished. The easiest method is probably to force mobile device users to attach to your network through a VPN.
If your organization has a wireless network, that network should be treated as an insecure medium. This means setting up a virtual private network (VPN) specifically for your wireless network as a way of guaranteeing that all wireless traffic is encrypted (beyond the hardware level encryption provided by Wi-Fi) and authenticated.
Allowing users to access health care systems through their personal wireless devices, while still maintaining HIPAA compliance, is a tall order. Even so, it is not impossible. Implementing a secure connective infrastructure and avoiding device level data storage can go a long way toward making mobile device access feasible.
This was first published in June 2012