“$2.5 Million Settlement Shows That Not Understanding HIPAA Requirements Creates Risk” — HHS press release, 2017
That is the title of an April 2017 news announcement issued by the Department of Health and Human Services. The announcement describes a case in which a covered entity’s employee left an unsecured laptop — containing the electronic protected health information (ePHI) of more than a thousand individuals — in a parked car, and the laptop was then stolen. Now, this story might sound like nothing more than a fluke — a string of poor decisions and impossibly bad luck. But it might actually be relevant to you because, according to the HHS press release, the company that settled here for millions of dollars had likely already violated HIPAA compliance in multiple ways even before the laptop was stolen. And some of the HIPAA-required steps the company failed to make might be common oversights among covered entities — maybe even your company. The announcement explains, for example, that the investigation found the company’s risk analysis and risk management processes to be “insufficient” according to HIPAA standards. Investigators also noted that the company failed to provide them with its final policies and procedures for implementing safeguards for ePHI, including on mobile devices. Securing ePHI on mobile devices. That is probably why you clicked on this blog. If you represent a covered entity or business associate, you know that protecting the ePHI entrusted to your company is becoming exponentially more difficult as your staff continues to access, store, view and transmit this data on ever-more mobile devices — even if they’re careful enough not to leave those devices unsecured and unattended in parked cars. As the director of the HHS Office for Civil Rights (OCR) warns, “Mobile devices in the healthcare sector remain particularly vulnerable to theft and loss.” So, if you are investigating processes for protecting your company’s ePHI across your mobile device environment, here are a couple of key questions worth asking at the outset:
- What exactly does our organization need to be on the lookout for in terms of risks to ePHI on mobile devices?
- What steps can we take to start bringing our mobile device usage up to HIPAA standards?
The Many Risks of HIPAA Breaches Caused by ePHI on Mobile Devices
One of the particularly frustrating things about HIPAA is that although the law mandates that covered entities and business associates “must take steps” to protect the ePHI under their charge, the law’s language does not offer anything approaching a detailed list of what those steps for achieving compliance actually are. This was an intentional decision by lawmakers to allow for the introduction of new technologies, ever-improving security protocols and creative solutions developed by covered entities themselves to more efficiently protect their patients’ personal data. But the guidance on the law — as reflected on the HHS website HealthIT.gov — offers some useful advice, starting with what mobile device risks covered entities should be aware of.
- Mobile devices can be lost
Say what you will about the high cost, the space requirements and the other issues with in-house fax servers. At least your employees aren’t likely to leave them behind at a restaurant.
- Mobile devices can be stolen
As demonstrated by the HHS announcement of a covered entity settling for $2.5 million for allowing a laptop containing ePHI to be stolen from an employee’s car, the risk of having a mobile device containing ePHI stolen is a real one.
- Employees can mistakenly download malware
Staffers at covered entities may innocently download dangerous code to their mobile devices, leaving any ePHI on those devices vulnerable to theft — and a HIPAA compliance violation. Be especially careful with devices running Android OS because many fake apps out there are vectors for malware, and some devices have in the past even allowed users to manually bypass security controls. But even iOS has been shown to be at risk, so vigilance is required for any brand or make of mobile device.
- Employees can inadvertently share ePHI by not protecting their mobile screens
Because your employees use their mobile devices everywhere — in stores, at their kids’ sports practices and piano lessons, in line at the coffee shop — if they are not shielding their screens or taking similar measures when they view a patient’s information, they might be inadvertently “sharing” your company’s ePHI. But innocent or not, that is a direct violation of HIPAA.
- Mobile devices can access ePHI on unsecured networks
Another serious risk of HIPAA noncompliance can occur when your employees —perhaps also while in line at the coffee shop — use the establishment’s public and unsecured WiFi network to view or transmit your company’s ePHI. Again, although this might be an entirely innocent mistake, that fact will not protect your company if the error results in an ePHI breach or if HIPAA’s investigators come knocking. Sounds pretty concerning, right? It certainly can be, if your company does not take steps to implement a plan for safeguarding ePHI on your employees’ company-issued and personal mobile devices. Advice from the HHS on Securing and Protecting ePHI on Mobile Devices Fortunately, though, the HHS’s HealthIT.gov website also offers suggestions to protect and secure ePHI when using a mobile device, including:
- Protect mobile devices with passwords or other user authentication
You can build into your IT team’s process a step to add password protection into all company-issued mobile devices before handing them out. You can also issue a companywide directive that all mobile devices — whether personal or company-issued — that the staff uses to store or transmit ePHI must be secured with a password or other authentication mechanism.
- Equip mobile devices with encryption
Your IT team will need to decide here how to implement this policy logistically, but it might be a good idea to insist that all employees who use their own smartphones, tablets or laptops for viewing or transmitting ePHI must allow you to install and enable encryption software on those devices. The fact is, had the ePHI on the stolen laptop been protected by ‘strong’ encryption, as defined by NIST, the National Institute for Standards and Technology, the theft would not be considered a reportable data breach under HIPAA guidelines.
- Install and enable a firewall on mobile devices
This will allow you to create a set of rules that allow mobile devices used by your staff to automatically intercept connection attempts and then block those deemed to be untrustworthy. This can help thwart a would-be hacker from stealing ePHI on the device.
- Enable remote wiping or disabling on mobile devices
This highly effective tool in your mobile-security arsenal allows your IT team to remotely erase data stored on a mobile device or even lock the device entirely. If an employee changes jobs or loses a company-issued smartphone or tablet containing ePHI (or if it’s stolen), your IT team would be able to wipe any data on that device immediately.
- Implement a secure-WiFi-only rule for working with ePHI on mobile devices
A companywide policy directive insisting employees access ePHI only if they know they know they are on a secure WiFi network can help reduce the likelihood that your ePHI will be vulnerable to cybercriminals even when your employees are accessing that data outside of your corporate firewall. This list is far from complete. You can find the rest of HealthIT.gov’s additional mobile ePHI security suggestions here, but even that list doesn’t include all of the security measures worth implementing to protect your company against both mobile-device data breaches and HIPAA auditors. But that is a great starting point for bringing any covered entity’s processes into better alignment with HIPAA. And I will add one more to this list, which is don’t allow ePHI to be stored on mobile or portable devices, ever. Those devices should be used to access and view patient data records in a clinical setting only. The records themselves should reside in servers housed in high-security locations, preferably a data center.
ePHI Sent by Fax Must Also Comply with HIPAA
I’ll leave you with one more ePHI security tip: Don’t forget fax security and compliance. Remember, if you send any patient records, insurance forms or other personal information via fax, then your fax processes also fall under HIPAA guidelines. So when you’re researching processes to improve your mobile environment’s HIPAA compliance, it’s worth adding secure fax to the list as well — and perhaps outsourcing your legacy fax infrastructure (which likely does not fully comply with all HIPAA requirements) with a modern, secure cloud fax solution (which does).