HIPAA Breaches of Mobile Devices Continue to Increase: Tips for Mobile Device Security

The growing use of mobile devices to communicate about patients increases the risk of HIPAA violations. Lost or stolen devices result in more than two-thirds of electronic protected health information (ePHI) security breaches. Dr. Cornelia Dorfschmid, a leading HIPAA consultant, notes that “these types of breaches underscore the importance of ongoing monitoring and continuing to perform ‘baseline’ security evaluations for HIPAA compliance. These baseline evaluations and follow up reviews must extend to mobile device management and procedures for ‘bring your own device’ (BYOD) environments, a major security concern. Ongoing evaluations and assessments against set baselines do not always receive the needed attention, resulting in the failure of proper password management, inadequate encryption, and remote management mechanisms. Such evaluations should also pick up on issues related to encrypting stored or transmitted data and, in particular, identifying the risks of using unsecure Wi-Fi or unsecure cellular networks to send and receive information.”

Unauthorized disclosure of PHI is a risk because mobile devices store data on the device itself in one of two ways: (1) within the computer’s “onboard memory”; or (2) within the SIM card or memory chip. The HIPAA Security Rule permits doctors, clinics, hospitals, psychologists, dentists, chiropractors, nursing homes, and pharmacies, among others, to transfer PHI to and from patients via email or text message. This allows providers to electronically communicate regarding patient status. Additionally, medical schools now supply residents with tablets to use as textbooks and while making patient rounds. These factors have led to increased potential for HIPAA Security violations that may result severe penalties, as well as public posting of violations on the HHS Office of Civil Rights (OCR) website.

HIPAA and the HITECH Act specifically require covered entities and their business associates to conduct periodic risk analyses of the potential vulnerabilities to ePHI maintained on all systems, including mobile devices. It further mandates applying the appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI. These requirements raise questions and concerns about violating the HIPAA Security Rule. According to HHS, the HIPAA Security Rule outlines national standards designed to protect individuals’ ePHI that is “created, received, used, or maintained by a covered entity.” The HHS OCR and Office of the National Coordinator (ONC) for Health Information Technology has posted tips on ways to safeguard PHI when using mobile devices such as laptops, tablets, and smart phones in a section entitled “Your Mobile Device and Health Information Privacy and Security.”

Mobile Device Security Tips

1. Provide management, accountability, and oversight structures for covered entities.
2. Establish policies, protocols, processes, and procedures to both protect ePHI on mobile devices and to avoid a security breach.
3. Provide training on the BYOD policy.
4. Keep an inventory of personal mobile devices authorized to access and transmit ePHI.
5. Establish rules for use of personal mobile devices.
6. Use a device key, password, or other user authentication to verify user identity.
7. Install and/or enable encryption that protects PHI stored on and sent by mobile devices.
8. Install or enable firewalls and regularly update security software (such as malware).
9. Install or activate remote wiping and/or disabling.
10. Ensure mobile device users know to keep devices under personal control or under lock and key.
11. Install radio frequency identification (RFID) tags to help locate lost or stolen mobile devices.
12. Establish remote shutdown tools that can remotely lock lost mobile devices.
13. Disable or do not install file-sharing applications on devices used for ePHI transmission.
14. Establish electronic processes to ensure unauthorized parties do not destroy or alter ePHI.
15. Conduct training on procedures for using mobile devices to access ePHI.
16. Educate clinicians on the risks of data breaches, HIPAA violations, and fines.
17. Delete all stored PHI before reusing or discarding a device.

After following all of the above steps, perform an outside independent security risk assessment to determine (a) if personal mobile devices are being used to exchange ePHI; (b) which devices are used on internal networks; (c) what information is accessed, received, stored, and transmitted; (d) whether proper authentication, encryption, and physical protections are in place to secure the exchange of ePHI; and (e) whether users have been properly trained on security procedures.