Mobile devices are so ubiquitous and full of useful features that it’s not surprising that medical professionals use these when administering healthcare services. For instance, nurses, doctors, and caregivers use tablets to access and update patients’ charts. They host virtual consultations over telemedicine apps on their laptops and take pictures of patients' external injuries using the camera on their mobile phones.
For all the conveniences mobile devices provide, such machines also come with data security risks that must be addressed if your practice is to remain HIPAA-compliant:
- The portability of mobile devices also makes them easy to steal or lose.
- Mobiles are not shielded by firewalls and may lack antivirus software and encryption protocols.
- Users may expose their personal mobile devices to unsecure public Wi-Fi connections, malware-ridden websites and email attachments, and apps designed to deliver data-stealing malware.
- Users may share their personal devices with family and friends, which may lead to the inadvertent exposure of patients’ protected health information (PHI).
- Healthcare professionals lack training on how to use mobile devices in a HIPAA-compliant manner.
For all the conveniences mobile devices provide, such machines also come with data security risks that must be addressed if your practice is to remain HIPAA-compliant
The best way to protect PHI is by issuing devices that are strictly for healthcare purposes
If your practice can afford to issue staff with devices that are exclusively for the delivery of healthcare services, then do so. This grants you greater control and visibility over the devices and how these are used, and also delivers several significant benefits:
- Everything is vetted
You can control everything, from which apps can be installed to which sites users may visit. IT admins should be the only ones allowed to install apps on the devices and users shouldn’t be able to visit risky or unvetted sites. - Cybersecurity tools can be put into place
You can enroll machines in a mobile device management (MDM) program, which allows you to roll out vulnerability patches and remote wipe devices once these are reported lost or stolen. You can also install antivirus software and subscribe users to VPN services. - You can also implement more secure access protocols
Because of how easy it is to use, the four-digit PIN is one of the most popular screen lock methods for mobile devices. However, a hacker could easily break a PIN because of its brevity and lack of complexity. When issuing a device, you can set it so that it will require the user to enter a strong password and/or other identity authentication factors like a fingerprint scan. - Users tend to be more careful not to share the issued devices
When users are taught the importance of keeping PHI private and secure, they’ll know better than to lend company-issued devices to unauthorized people.
Tips on how to be HIPAA-compliant when allowing personnel to use personal devices
Not all practices can afford to provide mobile devices to their personnel, which often leads management to implement bring your own device (BYOD) policies. Here are three tips for protecting PHI in this scenario:
- Implement mobile device management
MDM can still be applied on personal devices, provided that new accounts are created first. This way, a user’s personal account may still be used normally, but the new account will be under the control of IT admins. If a staff member resigns or upgrades to a new model, admins can remotely wipe the corporate account without ever affecting the personal one. - Follow mobile security protocols
There are some basic things you should and shouldn’t do when handling patient data on personal devices: - Apply all app and OS updates as soon as these become available
- Install an antivirus program
- Ensure that the devices you plug your mobile device into are clean of malware and are secured
- Encrypt the data you store
- Use a VPN to encrypt the data you transmit
- Set a password instead of a four-digit passcode for unlocking your device
- Connect to public or other unsecured Wi-Fi
- Jailbreak your device, as doing this dismantles many of the device’s built-in security features
- Leave PHI viewable or accessible when you leave your device behind or lend it to someone else
- Store PHI in the device; instead, put patient files and information in secure cloud or on-premises storage
- Provide regular cybersecurity training to your staff
According to the HIPAA Privacy Rule, healthcare providers and other covered entities are required to “train all members of [their] workforce on the policies and procedures with respect to protected health information.” This is partnered with the HIPAA Security Rule, which requires covered entities to “implement a security awareness and training program for all members of its workforce (including management).”
Do:
Do not:
To help everyone abide by HIPAA regulations when it comes to using mobile devices, they must be trained regularly. Beyond sit-down lectures, occasional drills and cyberattack simulations ought to make the training lessons stick.
If you need help complying with HIPAA, turn to Online Computers. We created The Guard®, an all-in-one compliance solution. To learn more about it and why it has a 100% customer satisfaction rate, download our flyer today.
