Increasing mobile data security
In an era of data sharing across smartphones and tablets, you must secure patients’ protected health information.
By Darla Shewmaker
In medical settings, HCPs use personal and practice-supplied devices to access patients’ electronic medical records, return e-mails and even take photos. A 2013 study reported that 83% of physicians used mobile technology to improve patient care (http://tinyurl.com/OPdatasecurity1).
Unfortunately, when logged into your practice network, these devices can create new threats related to viruses and malware. (See, “Risks Associated With Mobile Devices,” below.)
Also, the use of mobile computing devices increases the risk of breaches of patient-protected health information (PHI); the resulting penalties; and loss of patient confidence that can occur after the incident. The U.S. Department of Health & Human Services lists breaches of 500 patients or more on its “Wall of Shame” (http://tinyurl.com/OPdatasecurity2).
In 2014, 165 breaches were reported, including 46 related to the loss, theft or improper disposal of a laptop or other mobile device.
Consider the following measures to reduce the risks to information security and to protect PHI.
Risks associated with mobile devices
1. Losing the device
2. Having it stolen
3. Downloading a virus or malware
4. Sharing with family or friends
5. Using it in unsecured network
6. Disposing the device improperly upon replacement
Use a complicated user authentication
Your passwords should include letters (upper and lower case), numbers and keyboard characters (punctuation mark). Do not store these passwords on the mobile device. Authentication via fingerprint login, voice or camera can improve security as well.
Also, limit the number of unsuccessful login attempts, and use an auto log-off function to improve security when the device is not in use.
Install and enable encryption
Encryption converts data into a form that cannot be read without the decryption key or password. Encrypt data stored locally on your mobile device (data at rest) and data sent by your mobile device (data in motion) so that it is protected from unauthorized users. Encryption capabilities vary by device. Bottom line: If a device is lost or stolen but the data is encrypted, you should not fear a PHI breach.
Activate remote wiping and disabling
With remote wiping, you can permanently delete data stored on a lost or stolen mobile device. You can also lock or completely erase data stored on a lost or stolen mobile device. If it is recovered, you can unlock it. Securing encrypted backups of your device, locally or in the cloud, will make it easier to restore your information if a device is compromised.
Enable a firewall
A personal firewall protects against unauthorized connections. Firewalls intercept incoming and outgoing connection attempts and block or permit them based on a set of rules. Your device may already have a firewall that you can enable.
Research mobile applications
Before downloading and installing apps or programs on your mobile device, verify they will perform only functions you approve. Use reputable reviews of the app from known websites or other trusted sources. The Federal Trade Commission provides guidance to understand mobile apps at (http://tinyurl.com/OPdatasecurity3).
Avoid file sharing applications
File sharing is software or a system that allows Internet users to connect to each other and trade computer files. File sharing can enable unauthorized users to access your laptop without your permission or knowledge. Examples of these programs include Dropbox and Google Drive.
Install security software
Security software can protect against malicious applications, viruses, spyware and malware-based attacks. Make sure to keep your security software up to date. The latest tools help you to prevent unauthorized access to health information on or through your mobile device.
Use adequate security over Wi-Fi networks
Regardless of whether you are using a public or private Wi-Fi connection (such as at your house), you can use a virtual private network (VPN), which encrypts the information you send. Turn off Wi-Fi, location services and Bluetooth functionality when not in use. Others can “discover” your device exists when these functions are enabled and your mobile device is in an untrusted network/internet environment.
Maintain physical control
Mobile devices are easily lost or stolen. To limit the risk, lock your device in a secure location (such as a desk drawer) when not in use.
Delete information before discarding or reusing
HHS OCR issued guidance regarding the proper steps to take to remove health information and other sensitive data stored on your mobile device before you dispose or reuse the device. (See http://tinyurl.com/OPdatasecurity4.)
FINAL STEPS TO DATA SECURITY
Create an office policy
For your policy on mobile devices use in your practice, use the above safeguards or other reputable resources. Reference this policy as part of your security risk analysis, and educate your staff on the risks and precautions. Also, make sure you know about every device using your network that accesses or stores PHI.
Without the proper controls in place, your practice is vulnerable to possible threats. OM
About the Author
Darla Shewmaker has spent 17 years on the front lines of EHR design and implementation. She recently left her position as VP of product development and is focusing on ophthalmic practice consultations, education and compliance. E-mail her at Darla@destinationsconsulting.com.