In order to comply with HIPAA and the HITECH Act, it’s imperative to combat mobile device loss, theft and physical damage. Rebecca Herold, an information privacy, security and compliance consultant who runs Rebecca Herold & Associates LLC, highlighted 10 risk reducing actions for mobile device security in a recent Mobile HealthCareToday webinar.
Create policies and procedures. First and foremost, they must be formally documented — written, not spoken. These policies must also be concurrent with business workflow and be feasible. “You must implement policies and procedures that are customized to your organization and to your business activities,” she said. A business cannot simply download policies from a website, implement them and expect them to function properly. If businesses take that course and they are audited, it’s a recipe for penalties. Finally, as straightforward at it seems, do not waver from the mobile device security policies that your organization documents.
Conduct training and raise awareness. People are the weakest link in security and privacy, said Herold. One such example is an organization that copied and pasted the actual text of HIPAA regulations into several hundred PowerPoint slides, put them in shared folder on their network, and then sent a message to staff saying look at it. Not only is that insufficient training, but it’s rather “mind numbing” to go through copious amounts of slides, she said. One beneficial training method, on the other hand, is setting up an Intranet page specific to mobile communications so staff can interact and pose questions. What’s more, many laws and regulations — namely HIPAA and HITECH — require formal ongoing training of mobile technologies compliance, said Herold.
Practice encryption: The loss or theft of personal health information (PHI) is an ongoing problem in health care security in general and mobile device security in particular. To mitigate risk, strong encryption solutions are needed for data in transit, data in storage, and email, whether it’s accessed on a tablet PC, smartphone or laptop. Encryption is “addressable” in HIPPA regulations, which does not mean it’s optional, urged Herold. Encryption that can be managed remotely is one solution, especially if a mobile device gets in the hands of an unauthorized user.
Perform data backups: Regularly scheduled data backups that will sync data from a device to enterprise systems are imperative in not only everyday workflow, but also in disaster recovery. Another reason to test backup solutions is to ensure that old data does not overwrite new data.
Implement data loss prevention tools: To keep PHI out of the hands of criminals, a data loss prevention tool (DLP) with content scanning can send alerts to administrators when a leak occurs. Implementing DLP is a risk mitigation activity that supports HIPPA risk management compliance.
Watch for malware: Since malware can steal and delete information, place safeguards on your firewall, wireless Internet, mobile computers and email services.
Use GPS to track devices. As mentioned, many breaches occur when devices are lost. Therefore, using a tracking service can help locate a device and prevent the need to report a health care data breach. To that end, RFID tags can track mobile computers and mobile storage devices and can help locate lost devices within a facility, while GPS can monitor the movement of devices from a centralized location. Beyond mobile device security, RFID technology can be used to keep hardware inventory up to date.
Implement user authentication. Providing individual authentication, such as a password or PIN number, establishes accountability and responsibly of actions by a provider accessing data. Another method is utilizing biometrics such as fingerprints or facial recognition — though Herold noted that an enterprise should “make sure” to implement a backup authentication method in case of system malfunction or a loss of data integrity, said Herold. Authentication safety is also prevalent in electronic health record (EHR) use, especially since meaningful use requires documentation of who has accessed PHI. (Providers are increasingly using mobile devices to access EHR systems.)
Use remote data wipe and lock tools. This technology will either delete the information on a device or lock it in the event that it is lost or stolen. This is important when personnel leave an organization and take a mobile device with them. It’s a viable way to protect data if a staffer leaves on bad terms, regardless of the reasoning behind it.
Specify requirements for Business Associates (BA). All BAs must comply with the HIPAA Security Rule, the HITECH Act and many HIPAA Privacy Rule mandates to avoid penalties. Herold said it’s a smart idea to list all security requirements in the BA contract. Although most BA contracts are vague (at least in Herold’s experience), they should be specific.
Two final steps in mobile device security compliance is to undergo point-in-time audits and the use of Compliance Helper to monitor BA compliance activities and to review breach notice requirements, Herold noted.