The speed at which healthcare operates necessitates immediate and nearly constant communication. Mobile devices allow us to access doctors and other medical professionals whether they’re in the office, or not. It makes it possible for them to stay connected to work in this “on-the-go” environment.
HIPAA has worked to stay up to date with mobile technology. In fact, data security regulations and mobile devices have long been viewed as opposite poles in healthcare.
As expected, the use of cell phones and other mobile devices within the healthcare setting boomed in 2020. The pandemic ushered in an entirely new era for medicine; one in which technology and patient privacy go hand-in-hand. The rapid adoption of telehealth and work-from-home platforms for medical practitioners has solidified this new phase in which mobile devices are commonplace.
Today, 93% of medical professionals think that mobile health apps are helping to improve patients’ health. And “healthcare providers are finding out that smartphones and mobile health messaging platforms are changing how they administer population health programs,” according to mHealth Intelligence.
What Are the Security Risks Related to Cell Phones in the Healthcare Industry?
With increasingly seamless connectivity in today’s healthcare environment, every portal to a healthcare computing system—mobile phone, tablet, or laptop—is a vulnerability. Mobile device activity has the potential to compromise electronic PHI (ePHI) which healthcare systems cannot afford in terms of financial losses or reputational damage among patients and stakeholders.
Security experts advise that mobile devices are not as secure as in-house computers set up on an organization’s secure network. Cell phones and other mobile devices aren’t equipped with protective technology like encryption, firewalls, and antivirus software. One of the major concerns is the propensity of employees to lose mobile devices, or have them stolen. Once a smartphone or tablet that’s connected to your network is out of your hands, the risk of unauthorized access to your sensitive information increases exponentially. This also implies the loss of governance over many of the applications used to transmit business and medical information.
Additional risks for using a mobile device connected to a healthcare system’s resources include:
- Physical loss or theft of the device,
- Transmitting data via text or email over an unsecured Wi-Fi network while working remotely.
- Using an outdated operating system,
- Inadequate or lack of authentication,
- Sharing mobile devices with others and inadvertently exposing confidential data.
Security Metrics shared some additional reasons that using smartphones and other mobile devices for healthcare matters is risky business:
- Mobile devices are easily stolen or lost.
- Many mobile users skip using password protection on their devices.
- Users aren’t in the habit of using encryption when sending and receiving emails on mobile devices.
- Some healthcare employers and business associates still lack BYOD policies ensuring data security.
How Does HIPAA Regulate Mobile Device Usage in Healthcare?
The HHS and OCR enacted HIPAA to secure the privacy of patients and integrity of sensitive health data. To comply with HIPAA regulations, anyone associated with a healthcare system who uses mobile technology to receive, transmit, or store PHI must have certain security measures in place.
The use of mobile devices in healthcare is not prohibited by HIPAA. And though there are no specific HIPAA Security or Privacy Rules governing cell phone usage, the same regulations apply. Whether users are on their mobile network or an unsecured Wi-Fi, meeting the overarching regulations laid out by HIPAA helps keep PHI safe.
“Health care providers, other covered entities, and business associates may use mobile devices to access electronic protected health information (ePHI) as long as appropriate physical, administrative, and technical safeguards are in place to protect the confidentiality, integrity, and availability of the ePHI on the mobile device…and appropriate BAAs are in place with any third-party service providers for the device and/or the cloud that will have access to e-PHI.” – HHS, HIPAA FAQs
Meeting the Standards of HIPAA on Mobile
Although there is no official set of rules for HIPAA compliance, organizations like the National Institute of Standards and Technology (NIST), the National Cybersecurity Center of Excellence (NCCoE), and others have come up with some solid advice and guidelines for implementing mobile security measures. In order to work around these risks, IT experts offer the following advice for fortifying your mobile security:
- Furnish employees with company tablets. You can control their configuration so as to only allow for those programs and apps that are appropriate for their practice and which ensure patient privacy.
- Make the use of strong, HIPAA-compliant passwords mandatory. This helps ensure that only employees are granted access to data on their devices.
- Conduct routine device configuration testing, updates, and malware scans.
Include Mobile Devices in Risk Assessments
Regularly enlist the services of a trusted auditing firm to conduct a HIPAA/HITECH audit. This aims to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI that your organization collects, stores, processes or transmits – on mobile and desktop devices.
Enable and Enforce Passcode Protection
Make sure that each mobile user understands that it is his or her responsibility to properly protect their device and its contents. Passcodes and double-authentication work to protect any ePHI on the device if a cell phone falls into the hands of someone other than the owner.
Advise Mobile Users to Handle Patient Data Safely with Secure Apps
The HHS and OCR have launched a portal that features a list of health application developers to help mobile users to choose apps wisely. For instance, any text messages sent to patients must be done through special secure apps.
Deter Staff from Using Unsecured Wi-Fi Networks
It is always tempting to hop onto a free Wi-Fi network when out for coffee or lunch. However, those networks are incredibly risky for anyone to use when accessing even their own banking information; much less physicians checking their office email. Set up a virtual private network to provide a secure, encrypted connection between the mobile device and ePHI.
Provide Extensive Policies, Procedures, and Training
Working with busy physicians, nurses, and other medical professionals, it may prove challenging to make sure they understand policies and procedures. But mobile HIPAA training sessions are essential to full HIPAA compliance.
Is Your Healthcare Staff HIPAA Compliant While Mobile?
There are many additional ways to make sure you are keeping PHI secure and staying fully HIPAA compliant. Our security and compliance team has all the latest information on HIPAA requirements applicable to your healthcare organization. Contact our office to discuss all the ways we can help you protect your business.