A judge recently ruled in favor of the OCR and ordered The University of Texas MD Anderson Cancer Center (Anderson Cancer Center) to pay over $4.3 million in civil monetary penalties. The judgment came after the Anderson Cancer Center lost two unencrypted universal serial bus (USB) drives and an unencrypted laptop from the residence of an employee. Anderson Cancer Center had previously identified the need for encryption on devices during a security-risk analysis and, despite having written policies outlining the need for encryption, failed to ensure that mobile electronic devices contained the appropriate security measures.
Mobile devices present a unique challenge to the healthcare industry. On one hand, they are increasingly being used by medical providers including the use of voice-capture, email, text messaging, remote access to medical records systems, and video conferencing. Smartphones, tablets, and laptops offer the means of streamlined communication and collaboration by making modern health IT solutions accessible and easy to use. USB drives make data storage and transfer effortless. However, despite the benefits of this technology, the OCR published a cyber-security awareness newsletter specifically addressing the increased risks associated with mobile devices that are used to store or access ePHI. And lost, misplaced, and stolen portable devices are some of the leading causes of healthcare security breaches. Here are our tips to protect mobile devices:
Tip # 1: Have policies and procedures in place
Every organization needs to have policies in place that address if, how, and when employees are allowed to access, create, transmit or store ePHI on mobile devices. This includes the formation of policies for both devices owned by the organization and employee-owned devices that can access ePHI.
Tip # 2: Implement physical safeguards
If employees are permitted to remove devices from your physical location, make sure there are policies in place regarding where those devices can be stored. Mobile devices with access to ePHI should never be left in a car or any other unsecured location.
Tip # 3: Make accessing the devices more difficult
Require passwords to unlock devices. Enable screen locks or automatic log-offs. Use privacy screens to prevent people from reading information on your screen. Only use secure Wi-Fi connections and make sure Anti-virus/Malware software is up to date.
Tip # 4: Encryption is not just for computers
Whenever possible install or enable encryption on all mobile devices this includes USB drives, tablets, and smartphones. Mobile Device Management software is a great way to manage and secure mobile devices allowing you to enforce policies and maintain the desired level of IT control including the ability to remotely wipe the memory.
Tip # 5: Use proper disposal techniques
Mobile devices that are no longer in use should be disposed of properly. This means PHI needs to be completely removed from the device. This could be accomplished through clearing (overwriting), purging (degaussing), or destroying the media device entirely.
These tips, along with the appropriate training for employees, are great steps in protecting patient ePHI and your organization from the risk of a HIPAA breach through the loss of a mobile device.