More organizations are utilizing smart phones, laptops and tablets for daily operations but failing to include these devices in a company-wide risk analysis could lead to mobile device security issues.
Entities need to maintain ePHI security and understanding the potential risks associated with mobile devices is a key part of that, which the OCR stressed in its recent cybersecurity newsletter.
“Due to their small size and portability, mobile devices are at a greater risk of being lost or stolen,” stated the OCR October newsletter. “A lost or stolen mobile device containing unsecured ePHI can lead to a breach of that ePHI which could trigger HIPAA breach notification obligations for a HIPAA covered entity or its business associate (the entity). Additional risks could arise when using personal mobile devices to store or access ePHI.”
More potential security risks arise when ePHI is actually stored on mobile devices, OCR added. All company policies need to be clearly established and remain part of the employee training process to ensure that staff members at all levels know how to maintain ePHI security on mobile devices.
“Entities permitting the use of personal mobile devices must include such devices in their enterprise-wide risk analysis and implement security measures sufficient to reduce those risks to a reasonable and appropriate level,” OCR said.
Organizations should also be aware of device default settings, as they can often be less secure. For example, Wi-Fi, Bluetooth, cloud storage or file sharing network services may be unsecured for their default setting. Mobile devices must be “properly configured and secured before allowing the device to create, receive, maintain or transmit ePHI,” the agency advised.
Employee training also needs to include discussions on virus and malware. Individuals must understand that malicious software can also wreak havoc on mobile devices, just as with a desktop computer.
OCR also suggested that covered entities consider using Mobile Device Management (MDM) software to manage and secure mobile devices. MDM can include OS configuration, device provisioning and remote access for troubleshooting.
Essentially, organizations need to ensure that their HIPAA technical safeguards account for mobile device security. For example, automatic lock/logoff functionality, authentication to use or unlock mobile devices and regular security patches and updates will be critical for keeping ePHI secure on mobile devices.
Data encryption, anti-virus/anti-malware software and remote wipe capabilities should also be key considerations, OCR stated.
OCR also listed the following tips for ensuring mobile device security:
- Use a privacy screen to prevent people close by from reading information on your screen
- Use only secure Wi-Fi connections
- Use a secure Virtual Private Network (VPN)
- Reduce risks posed by third-party apps by prohibiting the downloading of third-party apps, using whitelisting to allow installation of only approved apps, securely separating ePHI from apps and verifying that apps only have the minimum necessary permissions required
- Securely delete all PHI stored on a mobile device before discarding or reusing the mobile device
Implementing necessary and applicable policies and procedures for mobile device security and then instilling those policies and procedures into regular workforce training will be essential for maintaining ePHI security.
Phillip Long, CEO of BIS Technology Group, along with his team of marketing and information technology experts, will walk you through an overview of what your business should be doing to protect your data and plan your digital marketing strategies.
About BIS Technology Group
BIS Technology Group is the technology leader on the Gulf Coast and is comprised of four divisions: Information Technology, Web Design & Digital Marketing, Office Equipment and Business Consulting. Together these divisions help local businesses exceed expectations and allow them to group to their full potential while minimizing risks. To learn more about BIS Technology Group, visit bistechnologygroup.com.
You may reach out to us at:
Read more about cell phone protection here.
Schedule a FREE DEMO from BIS Mobile Device Security here.