A recent study from the Ponemon Institute found the following:
- Many organizations are not taking the necessary steps to protect ePHI on mobile devices and in the cloud.
- 54 percent of survey respondents have had on average five data breach incidents involving the loss or theft of a mobile device containing regulated data.
- Approximately 33 percent of respondents said that they need to access PHI to do their work.
- Only 15 percent of survey participants knew of HIPAA's security requirements for regulated data on mobile devices despite 33 percent of respondents indicating that they are part of a HIPAA covered entity.
- Approximately 40 percent of respondents weren't sure if their organization's rules on employee access and use of regulated data on mobile devices were HIPAA compliant.
These findings clearly show that healthcare organizations need to get their act together with respect to ensuring ePHI security on mobile devices. We live in an increasingly digital world where 24/7 access to information is the expectation. Clinicians and other staff need and expect access to ePHI data from remote locations on different devices. Healthcare organizations need to be proactive in their approach towards BYOD. Implementing reasonable policies and procedures, coupled with appropriate security technology can allow employees to use mobile technology in a secure, compliant manner and prevent data breaches.
All healthcare organizations need to do:
- Decide if the organization is going to provide mobile devices such as smartphones/laptops to staff or is it going to allow a BYOD strategy.
- Determine which staff members need access to ePHI to do their jobs.
- Determine how much ePHI access is needed to do the job.
- Develop and implement clear policies and procedures for mobile device usage that state: a)Types of smartphone platforms ( iOS, Android, Windows or Blackberry) supported by your IT infrastructure. b) Minimum hardware or software configurations required on the mobile device to ensure ePHI security. c) A list of Dos and Don’ts with respect to ePHI security and mobile device usage. If employees use their own devices for work, they will have personal data on their devices like photos, music,personal email and text messages. Backing up smartphone data with a cloud based service moves data to the service provider cloud such as iCloud, SkyDrive or Google Drive. Employees could inadvertently transfer ePHI to their personal cloud backup when they connect the device to their cloud based backup. Train employees on proper usage of the device. Make your staff is aware of these risks to ePHI.
- Implement technology to authenticate and authorize access to ePHI.
- Implement audit controls to monitor who is accessing ePHI, from which device and from which location.
- Setup alerts to warn management of any unauthorized attempts to access ePHI.
- Prevent users from downloading ePHI data on their mobile devices if possible.
- Make sure that devices that store ePHI have at minimum, encryption software, device tracking, remote lock or data wipeout capabilities enabled.
- Conduct periodic employee training to reinforce the importance of ePHI security.
- Have strictly enforced sanction policy in place to discourage any non-compliant behavior.