firewalls. Over 90 percent of physicians use a smartphone or tablet in their workplace, and it’s evident why. Mobile health improves efficiency and overall quality of healthcare services. It’s plain easier and most patients prefer it.
While integrating mobile devices into existing healthcare technology seems inevitable for any progressive organization, these devices weren’t exactly created with healthcare data security in mind. And the administrators of HIPAA, the U.S. Department of Health and Human Service (HHS), know it.
Any HIPAA-covered organization using mobile devices must implement and enforce a HIPAA mobile device policy to protect patient health data. But with potentially thousands of devices requiring access to a healthcare network, protecting that data and staying HIPAA compliant becomes increasingly complex — and costly. Fines can reach above $1 million.
The possibility of hefty fines probably won’t stop you from deploying mobile health at your company; the payoff is just too great. So here’s everything you need to know — from common mistakes to compliancy tips and tricks — to keep your patients’ data secure while using mobile devices.
What are the real dangers of using mobile devices in the workplace?
Although the security risk increases, HIPAA doesn’t outlaw mobile devices in healthcare settings, stating:
“Health care providers, other covered entities, and business associates may use mobile devices to access electronic protected health information (ePHI) as long as appropriate physical, administrative, and technical safeguards are in place to protect the confidentiality, integrity, and availability of the ePHI on the mobile device and appropriate BAAs [Business Associate Agreements] are in place with any third-party service providers for the device and/or the cloud that will have access to e-PHI.”
So if HIPAA allows it, what’s the real danger?
The danger, summed up in a statistic, is that in a six month period back in 2015, over 102 million healthcare records were exposed and 34 healthcare data breaches involved mobile devices.
Every portal to a healthcare network, be it mobile phone, tablet, or laptop, is a vulnerability. The same security measures used for in-house computers and servers aren’t in place for mobile devices. Mobile devices typically don’t have firewalls, encryption, antivirus software, or multi-factor authentication.
To add fuel to the fire, many healthcare organizations that have a BYOD policy have insufficient procedures to regulate it. Employees may accidentally download a malicious app that steals the password to your EHR software.
Other, quick-hit examples of why mobile devices in the healthcare industry can be dangerous:
- Mobile devices are easy to lose or steal.
- Employees aren’t in the habit of encrypting emails when using mobile devices.
- Mobile devices are easier to share with others, inadvertently exposing confidential data.
- Many mobile users don’t implement password protection on their mobile devices.
Common mobile device HIPAA violations
Using mobile devices in your healthcare practice ups your chances of violating HIPAA regulations in ways you may not even be aware of. Here are common ways violations occur, giving you the insight to consciously avoid them (and a substantial fine).
It’s insanely convenient to text coworkers about work matters. But if you’re texting about patient information, it’s classified as ePHI, meaning the messages you send should be encrypted both in transit and while stored on your phone. Instead, use a HIPAA-compliant messaging app such as Kareo. These apps differ from normal messaging apps in that copies of messages are not retained on routing servers and therefore can’t be intercepted on public Wi-Fi.
Photos are useful in medicine. It’s tempting to take a quick picture of an X-ray or ECG for reference later, but don’t do it. Having these pictures on your camera roll qualifies as ePHI if there’s identifying information about a patient — and that doesn’t just mean their first and last name. If you need to take pictures, do so through an app like Qliq that doesn’t save the pictures to your phone’s gallery or cloud.
It’s important to never access patient information on public Wi-Fi. Sitting at a coffee shop may seem like the perfect time to check an email from a coworker, but that transmission of patient data from the email server to your phone can lead to a HIPAA violation. If you’re accessing the network without a password, so can everyone else.
When accessing patient information, make sure either your network connection is encrypted or any ePHI you’re transmitting is encrypted. If you have to use a public Wi-Fi network, use a virtual private network.
Mobile devices are mainly using cloud technologies by default, which is helpful in accessing information from multiple locations, but dangerous in exposing patient data. Referencing the aforementioned camera roll violation, the photos you take on your phone are probably automatically backing up to the cloud, making them available elsewhere. To ensure you’re not violating HIPAA laws, identify all points of ePHI storage or access on your mobile devices and determine if a cloud service is used. If it is, turn off the cloud service and invest in a HIPAA-compliant photo app.
- Evaluate risks and vulnerabilities in their environments
- Implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of e-PHI
- Document the security measures and the rationale behind them
- Maintain continuous and appropriate security protections
If you aren’t following these steps in analyzing your risks within your mobile devices, we highly recommend doing so, as you’re probably on the wrong side of HIPAA regulations.
10 simple tips for securing your practice’s data and staying HIPAA compliant
It’s not all doom and gloom when it comes to using mobile devices in your practice. Implement some or all of these 10 simple tips to stay HIPAA compliant while retaining the efficiency your mobile technology provides.
- Implement PIN or password protection on all mobile devices.
- Implement mobile encryption (and make sure any backup information is encrypted as well).
- Regularly update software and applications.
- Create clear mobile security policies and regularly train your employees on them.
- Invest in mobile device management software for controlling access to devices, limiting data portability, and recovering missing devices.
- Install or activate remote wiping and/or disabling.
- Keep an inventory of personal mobile devices being used by healthcare professionals to access and transmit ePHI.
- Install firewalls and regularly update security software on all mobile devices.
- Install radio frequency identification (RFID) tags on your mobile devices to locate a lost or stolen device.
- Delete all stored ePHI before reusing or disposing of a device.
Using HIPAA compliant software to avoid violations
Much of the worry about violations and exposing patient information can be resolved with a HIPAA-compliant software. With an EHR system, providers safely share patient information with partner facilities, employees, or others and keep all records organized and secure. Use our Product Selection Tool to find an EHR tool that best fits for practice.