Originally Published November 13, 2017 by ePlace Solutions, Inc.
The October newsletter from the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) focused on protecting PHI when using mobile devices like smart phones and tablets. The Newsletter reminds entities regulated by HIPAA that mobile devices must be included in their enterprise-wide risk analysis and to reduce risks identified with the use of mobile devices to “a reasonable and appropriate level.”
Risks Inherent to Mobile Devices
The Newsletter identifies some risks associated with mobile devices when using or storing ePHI (electronic PHI). Some risks are unique to mobile devices due to their portability. For example, mobile devices are at a greater risk of being lost or stolen which may result in a HIPAA breach notification obligation if there was unsecured ePHI on the device. While some risks are unique, mobile devices also share some risks associated with non-mobile computing devices. For example, default vendor settings on mobile devices may be unsecure and should be assessed.
Device Specific Training!
Mobile device workforce training is highlighted in the Newsletter and once again reminds us that employee training is a foundational component of cybersecurity. Training topics for mobile devices should include the secure use of mobile devices to store or access ePHI and the risks of viruses and malware infecting mobile devices.
Mobile Device Security Tips
The Newsletter concludes with some tips to help protect and secure PHI while using mobile devices. Here are some of those tips.
- Implement policies and procedures regarding the use of mobile devices in the work place– especially when used to create, receive, maintain, or transmit ePHI.
- Regularly install security patches and updates.
- Install or enable automatic lock/logoff functionality.
- Install or enable encryption, anti-virus/anti-malware software, and remote wipe capabilities.
- Use a privacy screen to prevent people close by from reading information on your screen.
- Use only secure Wi-Fi connections.
- Use a secure Virtual Private Network (VPN).
- Reduce risks posed by third-party apps by prohibiting the downloading of third-party apps, using whitelisting to allow installation of only approved apps, securely separating ePHI from apps, and verifying that apps only have the minimum necessary permissions required.
For more information on how to manage the security of mobile devices in your company, please see NIST SP 800-124 Rev. 1.