By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Health Works CollectiveHealth Works CollectiveHealth Works Collective
  • Health
    • Mental Health
    Health
    Healthcare organizations are operating on slimmer profit margins than ever. One report in August showed that they are even lower than the beginning of the…
    Show More
    Top News
    Physicians
    Why Recruiting Physicians is More Challenging than Hiring Other Professionals
    December 17, 2024
    Telemedicine Apps
    Why Custom Telemedicine Apps Outperform Off‑the‑Shelf Solutions
    July 20, 2025
    improving patient experience
    6 Ways to Improve Patient Satisfaction Within Hospitals
    December 1, 2021
    Latest News
    5 Steps to a Promising Career as a Healthcare Administrator
    August 3, 2025
    Why Custom Telemedicine Apps Outperform Off‑the‑Shelf Solutions
    July 20, 2025
    How Probate Planning Shapes the Future of Your Estate and Family Care
    July 17, 2025
    Beyond Nutrition: Everyday Foods That Support Whole-Body Health
    June 15, 2025
  • Policy and Law
    • Global Healthcare
    • Medical Ethics
    Policy and Law
    Get the latest updates about Insurance policies and Laws in the Healthcare industry for different geographical locations.
    Show More
    Top News
    Image
    Surge Exercises: Bombings and Blast Injuries
    April 21, 2013
    This Week in Washington
    March 27, 2012
    Are You Providing Value to Patients?
    June 12, 2013
    Latest News
    How IT and Marketing Teams Can Collaborate to Protect Patient Trust
    July 17, 2025
    How Health Choices and Legal Actions Intersect After an Injury
    July 17, 2025
    How communities and healthcare providers can address slip and fall injuries with legal awareness
    July 17, 2025
    Let Your Lawyer Handle the Work Before You Pay Medical Costs
    July 6, 2025
  • Medical Innovations
  • News
  • Wellness
  • Tech
Search
© 2023 HealthWorks Collective. All Rights Reserved.
Reading: Healthcare Security: HIPAA Standards and The Challenges of Securing Mobile Data
Share
Notification Show More
Font ResizerAa
Health Works CollectiveHealth Works Collective
Font ResizerAa
Search
Follow US
  • About
  • Contact
  • Privacy
© 2023 HealthWorks Collective. All Rights Reserved.
Health Works Collective > Policy & Law > Healthcare Security: HIPAA Standards and The Challenges of Securing Mobile Data
Policy & LawTechnology

Healthcare Security: HIPAA Standards and The Challenges of Securing Mobile Data

Brad Spannbauer
Brad Spannbauer
Share
11 Min Read
SHARE

?$2.5 Million Settlement Shows That Not Understanding HIPAA Requirements Creates Risk? ? HHS press release, 2017

That is the title of an April 2017 news announcement issued by the Department of Health and Human Services. The announcement describes a case in which a covered entity?s employee left an unsecured laptop ? containing the electronic protected health information (ePHI) of more than a thousand individuals ? in a parked car, and the laptop was then stolen. Now, this story might sound like nothing more than a fluke ? a string of poor decisions and impossibly bad luck. But it might actually be relevant to you because, according to the HHS press release, the company that settled here for millions of dollars had likely already violated HIPAA compliance in multiple ways even before the laptop was stolen. And some of the HIPAA-required steps the company failed to make might be common oversights among covered entities ? maybe even your company. The announcement explains, for example, that the investigation found the company?s risk analysis and risk management processes to be ?insufficient? according to HIPAA standards. Investigators also noted that the company failed to provide them with its final policies and procedures for implementing safeguards for ePHI, including on mobile devices. Securing ePHI on mobile devices. That is probably why you clicked on this blog. If you represent a covered entity or business associate, you know that protecting the ePHI entrusted to your company is becoming exponentially more difficult as your staff continues to access, store, view and transmit this data on ever-more mobile devices ? even if they?re careful enough not to leave those devices unsecured and unattended in parked cars. As the director of the HHS Office for Civil Rights (OCR) warns, ?Mobile devices in the healthcare sector remain particularly vulnerable to theft and loss.? So, if you are investigating processes for protecting your company?s ePHI across your mobile device environment, here are a couple of key questions worth asking at the outset:

  • What exactly does our organization need to be on the lookout for in terms of risks to ePHI on mobile devices?
  • What steps can we take to start bringing our mobile device usage up to HIPAA standards?

The Many Risks of HIPAA Breaches Caused by ePHI on Mobile Devices

One of the particularly frustrating things about HIPAA is that although the law mandates that covered entities and business associates ?must take steps? to protect the ePHI under their charge, the law?s language does not offer anything approaching a detailed list of what those steps for achieving compliance actually are. This was an intentional decision by lawmakers to allow for the introduction of new technologies, ever-improving security protocols and creative solutions developed by covered entities themselves to more efficiently protect their patients? personal data. But the guidance on the law ? as reflected on the HHS website HealthIT.gov ? offers some useful advice, starting with what mobile device risks covered entities should be aware of.

  • Mobile devices can be lost

Say what you will about the high cost, the space requirements and the other issues with in-house fax servers. At least your employees aren?t likely to leave them behind at a restaurant.

  • Mobile devices can be stolen

As demonstrated by the HHS announcement of a covered entity settling for $2.5 million for allowing a laptop containing ePHI to be stolen from an employee?s car, the risk of having a mobile device containing ePHI stolen is a real one.

More Read

Preventing Alzheimer’s Before Disease Onset: A Key Expert Weighs In
Applying to Medical School – Do You Know What Your Digital Footprint Looks Like?
Innovation, Primary Care Style
Less Education, More Cancer
June 6 – 9 Jefferies to Host 2011 Global Healthcare Conference
  • Employees can mistakenly download malware

Staffers at covered entities may innocently download dangerous code to their mobile devices, leaving any ePHI on those devices vulnerable to theft ? and a HIPAA compliance violation. Be especially careful with devices running Android OS because many fake apps out there are vectors for malware, and some devices have in the past even allowed users to manually bypass security controls. But even iOS has been shown to be at risk, so vigilance is required for any brand or make of mobile device.

  • Employees can inadvertently share ePHI by not protecting their mobile screens

Because your employees use their mobile devices everywhere ? in stores, at their kids? sports practices and piano lessons, in line at the coffee shop ? if they are not shielding their screens or taking similar measures when they view a patient?s information, they might be inadvertently ?sharing? your company?s ePHI. But innocent or not, that is a direct violation of HIPAA.

  • Mobile devices can access ePHI on unsecured networks

Another serious risk of HIPAA noncompliance can occur when your employees ?perhaps also while in line at the coffee shop ? use the establishment?s public and unsecured WiFi network to view or transmit your company?s ePHI. Again, although this might be an entirely innocent mistake, that fact will not protect your company if the error results in an ePHI breach or if HIPAA?s investigators come knocking. Sounds pretty concerning, right? It certainly can be, if your company does not take steps to implement a plan for safeguarding ePHI on your employees? company-issued and personal mobile devices. Advice from the HHS on Securing and Protecting ePHI on Mobile Devices Fortunately, though, the HHS?s HealthIT.gov website also offers suggestions to protect and secure ePHI when using a mobile device, including:

  1. Protect mobile devices with passwords or other user authentication

You can build into your IT team?s process a step to add password protection into all company-issued mobile devices before handing them out. You can also issue a companywide directive that all mobile devices ? whether personal or company-issued ? that the staff uses to store or transmit ePHI must be secured with a password or other authentication mechanism.

  1. Equip mobile devices with encryption

Your IT team will need to decide here how to implement this policy logistically, but it might be a good idea to insist that all employees who use their own smartphones, tablets or laptops for viewing or transmitting ePHI must allow you to install and enable encryption software on those devices. The fact is, had the ePHI on the stolen laptop been protected by ?strong? encryption, as defined by NIST, the National Institute for Standards and Technology, the theft would not be considered a reportable data breach under HIPAA guidelines.

  1. Install and enable a firewall on mobile devices

This will allow you to create a set of rules that allow mobile devices used by your staff to automatically intercept connection attempts and then block those deemed to be untrustworthy. This can help thwart a would-be hacker from stealing ePHI on the device.

  1. Enable remote wiping or disabling on mobile devices

This highly effective tool in your mobile-security arsenal allows your IT team to remotely erase data stored on a mobile device or even lock the device entirely. If an employee changes jobs or loses a company-issued smartphone or tablet containing ePHI (or if it?s stolen), your IT team would be able to wipe any data on that device immediately.

  1. Implement a secure-WiFi-only rule for working with ePHI on mobile devices

A companywide policy directive insisting employees access ePHI only if they know they know they are on a secure WiFi network can help reduce the likelihood that your ePHI will be vulnerable to cybercriminals even when your employees are accessing that data outside of your corporate firewall. This list is far from complete. You can find the rest of HealthIT.gov?s additional mobile ePHI security suggestions here, but even that list doesn?t include all of the security measures worth implementing to protect your company against both mobile-device data breaches and HIPAA auditors. But that is a great starting point for bringing any covered entity?s processes into better alignment with HIPAA. And I will add one more to this list, which is don?t allow ePHI to be stored on mobile or portable devices, ever. Those devices should be used to access and view patient data records in a clinical setting only. The records themselves should reside in servers housed in high-security locations, preferably a data center.

ePHI Sent by Fax Must Also Comply with HIPAA

I?ll leave you with one more ePHI security tip: Don?t forget fax security and compliance. Remember, if you send any patient records, insurance forms or other personal information via fax, then your fax processes also fall under HIPAA guidelines. So when you?re researching processes to improve your mobile environment?s HIPAA compliance, it?s worth adding secure fax to the list as well ? and perhaps outsourcing your legacy fax infrastructure (which likely does not fully comply with all HIPAA requirements) with a modern, secure cloud fax solution (which does).

TAGGED:health informationhealthcare securitynew hipaa standards
Share This Article
Facebook Copy Link Print
Share
By Brad Spannbauer
A 20 year industry veteran, Brad Spannbauer currently oversees product strategy and planning, and provides direction and market leadership for j2 Cloud Connect's worldwide business as their Senior Director of Product Management. His focus in the Healthcare and Legal verticals led to Brad's involvement with the j2 Cloud Services™ compliance team, where he leads the team as the company's HIPAA Privacy & Compliance Officer. To find out more visit https://enterprise.efax.com/

Stay Connected

1.5kFollowersLike
4.5kFollowersFollow
2.8kFollowersPin
136kSubscribersSubscribe

Latest News

technology in medical research
The Tools Helping Medical Researchers See the Full Picture
News Technology
August 3, 2025
5 Steps to a Promising Career as a Healthcare Administrator
5 Steps to a Promising Career as a Healthcare Administrator
Health
July 31, 2025
holistic dental
Holistic Dentist Services Are Natural and Safe
Dental health Specialties
July 28, 2025
botox certification
Help Improve People’s Skin Health Via Botox Certification
Skin Specialties
July 22, 2025

You Might also Like

How crazy is Ted Cruz’s FDA reform proposal?

January 4, 2016

The Ambulatory Long Block: Resident Training in a High-Functioning Clinical Microsystem

June 19, 2012

Elective Coronary Stenting: A Case in Context

August 3, 2011
Technology

How Blockchain Can Revolutionize Healthcare Systems?

July 29, 2021
Subscribe
Subscribe to our newsletter to get our newest articles instantly!
Follow US
© 2008-2025 HealthWorks Collective. All Rights Reserved.
  • About
  • Contact
  • Privacy
Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?