Mobile devices are increasingly exposing protected health information (PHI) in the healthcare space, with threat risks growing, according to the Department of Homeland Security.
Mobile devices pose significant risks for privacy incidents for healthcare organizations, providers and entities responsible for safeguarding protected health information (PHI) under Federal HITECH and HIPAA regulations.
Since patient data can be moved, processed and shared via personal cell phones and tiny USB flash drives, the Bring-Your-Own-Device phenomenon can wreak havoc on a hospital. To assist healthcare entities reduce privacy incidents resulting from mobile risks, 13 experts—representing legal, data breach prevention, technology, healthcare IT, and security—offer top tips for healthcare organizations.
1. Install USB locks on computers, laptops or other devices that may contain PHI or sensitive information, to prevent unauthorized data transfer (uploads or downloads) through USB ports and thumb drives. – Christina Thielst, FACHE, vice president, Tower Consulting Group.
2. Consider geolocation tracking software or services for mobile devices. – Rick Kam, CIPP, president and co-founder, ID Experts.
3. Brick the mobile device when it is lost or stolen. – Jon A. Neiditz, partner, Nelson Mullins Riley & Scarborough.
4. Encrypt. – Chris Apgar, CISSP, president and CEO, Apgar and Associates.
5. Laptops put in “sleep” mode, as opposed to shutting them down completely, can render encryption products ineffective. – Winston Krone, managing director, Kivu Consulting.
6. Recognize that members of the workforce may use personal mobile devices to handle protected health information, even if contrary to policy. – Adam H. Greene, partner, Davis Wright Tremaine.
7. Don’t permit access to PHI by mobile devices without strong technical safeguards: encryption, data segmentation, remote data erasure and access controls, VPN software, etc. – Kelly Hagan, attorney, Schwabe, Williamson & Wyatt.
8. Educate employees about the importance of safeguarding their mobile devices. – Dr. Larry Ponemon, chairman and founder, Ponemon Institute.
9. Implement Electronic Protected Health Information (EPHI) security. – Christine Marciano, president, Cyber Data Risk Managers.
10. Healthcare organizations should work to get ahead “of the BYOD upgrade” curve by ensuring that the devices coming offline are adequately secured and checked before disposal or donation. – Richard Santalesa, senior counsel, Information Law Group.
11. Have a proactive data management strategy. – Chad Boeckman, president, Secure Digital Solutions.
12. Transparency and End User Consent Opt-In. – David Allen, CTO, Locaid Technologies.
13. The mobile web and “app” landscape is not your father’s Internet. – Pam Dixon, executive director, World Privacy Forum.