Risk Management
<< Back |
HIPAA-proofing Your Smart Phone or Mobile Device
In recent months OMIC has noted a surge in regulatory and HIPAA Privacy claims, especially involving malicious acts by disgruntled employees and unhappy patients.
In one case, a physician’s smart phone was compromised and more than 30 unauthorized breaches were recorded in one four hour period, requiring the practice to notify hundreds of patients of a potential release of their medical information. They also were required to report the incident to government authorities in order to comply with HIPAA requirements.
See here for HIPAA Security Rule.
While some of the costs associated with data breaches may be covered by your insurance (See here for information on OMIC’s BRP and eMD policy benefits) the damage to your reputation would be difficult to measure not to mention the time you and your staff must devote to addressing the issue.
Interestingly, a leading security firm recently “lost” 50 phones to track the behavior of those who found the phones. Of the 50% of the phones that were actually returned, 43% attempted to gain access to a banking app, often attempting to “guess” the login code based on other data accessable on the phone and 80% tried to access folders titled “HR Salaries” “HR Cases” and “saved passwords.”
Unauthorized access to sensitive information on your device would be considered a HIPAA Privacy violation. And while a data breach or HIPAA violation could be the result of a deliberate act of a person intentionally trying to harm you or your practice, it may also simply arise from the loss or theft of your mobile device.
Steps you can take to HIPAA-proof your smart phone:
1. Activate Phone Passcode. Choose a four-digit passcode that would be difficult to easily guess. Don’t use birthdates, street address numbers or anything else that would be obvious if a person was able to identify you and guess basic “expected” codes from an internet search. Your phone will often have a setting that, when turned on, will wipe all information from the phone if the wrong code is entered more than a set number of times. (I have my iPhone set to 10 wrong codes triggers phone data wipe-out). Turn this setting on.
2. Don’t Use Email. Regular email communications are rarely encrypted and should never be used for transfer of HIPAA protected information. Email accounts are easily breached and would almost never provide defensible protections for sensitive medical data or attachments if a HIPAA Privacy claim were filed against you or your practice. If you are sending sensitive information unencrypted, stop now, and use a cloud-based encryption service or VPN only.
3. Set “Required Login” for Apps. Some applications will save your information so that after you log in once on your smartphone you will no longer have to enter the login information for subsequent visits. Although convenient, this would make it easy for anyone gaining access to your phone to also potentially gain access to HIPAA protected information. Make sure that for any app that delivers sensitive data to your device, the settings require physical login credentials each time you enter the app.
4. Download an Encryption App. There are many cloud-based applications you can use to encrypt the data that is being transferred to and from your device but you also need to protect information that is downloaded or resides on your device itself. Therefore if you will download any sensitive information to the device itself, use this type of app. Encryption apps generally run from a buck or two to over $50. There is even a call encryption app for $1,600 that meets FBI standards! (You probably don’t need that one). These apps are available for both Apple and Android phones and they are of varying quality so research online and read app reviews for more information. Simply search for “encryption” in the app store. Your HIPAA-related texts, messages, and images that are downloaded to your device will be encrypted again, requiring another password. This is important since any previous encryption during transfer from a cloud server to your device would most likely not protect the data once it is downloaded to your phone. These apps can be configured to encrypt all data or only certain selectively identified folders, images, or documents.
CLOUD 101:
First, go here to learn about encryption.
“Off-the-Shelf” Cloud Apps: Cloud technology uses the same security as your bank to encrypt and protect data. Search for one that is HIPAA compliant or certified. OMIC does not endorse third-party products, however one popular app is Citrix Sharefile. There may be other HIPAA compliant (or certified) applications that are comparable or superior to Sharefile so do a thorough search before deciding on which service to use. Information sits behind a cloud-protected server. If you wish to share information with another physician, you can send them an invitation and they would receive an email with a link to the cloud-based confidential information.
Personal VPCs and VPNs: If you have installed electronic medical records (EMR) software, your vendor may already have a cloud-enabled HIPAA compliant encryption solution for you such as a VPN (Virtual Private Network) or a VPC (Virtual Private Cloud) and you may not need to search for separate software. They most likely will have discussed this with you during implementation of your EMR system. If not, ask them to describe in detail how sensitive information is protected. VPNs are basically protected private “intranet” networks within the internet that are set up to securely access your practice’s networked computer system. See this HHS article about EMR remote access liability.
Cloud vs. VPN?
There may be reasons you do not want to ever send HIPAA-protected data electronically, however that is becoming almost impossible in today’s web-based world. Many legal and health experts agree that if data is to be transferred, encryption within VPN or VPC would be preferable to completely unprotected email or text communications.
A VPN enables you to extend your own network across one that isn’t necessarily secure (i.e. the internet). You would use VPN for access to your practice’s internal network from your home or when traveling and you would use it to transfer information securely from one computer to another, maintaining confidentiality of data and identity.
Cloud computing (VPC) enables you to send data into the cloud, often using VPN encryption technology as a foundation. Clouds have enhanced capabilities that may not be available in a simple VPN environment however data security in a cloud context depends on who manages the cloud, how easily you can access data, whether the cloud is HIPAA compliant, and who else might have access to it.
ONE MORE TIP: Don’t let your judgment be clouded. You should not assume that “clouds” protect information sent to your device. While the transfer of information may be encrypted, information does “sit” on your phone temporarily. In addition to enacting the “required login” for cloud apps, you should also immediately exit these apps when you are not actively viewing them.
As outlined above, your efforts to limit access for your sensitive data including the passcode for the phone itself, encryption apps for sensitive documents, and protection during access to cloud-based apps or VPNs are all part of a “layered” approach that will help defend your practice against allegations of insufficient HIPAA-related data protocols.
Although a serious “hacker” may be able to penetrate many or all of the individual protections you employ, the more walls you build the more likely a person with a electronic forensic background would simply choose to move on to the next “unprotected” device. Similar to a steering wheel lock or house alarm, the technology is not the primary issue here, but rather a few simple steps that may make a potential criminal feel their time would be better spent moving on to next device.
Related Articles:
http://www.ama-assn.org/amednews/2012/03/26/bica0326.htm
http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2001.html
http://www.ama-assn.org/amednews/2012/03/26/bisa0326.htm
Please refer to OMIC's Copyright and Disclaimer regarding the contents on this website