In the United States, users of mobile devices are spending on average 5 hours per day on our mobile devices. Most of our time, approximately 69% is spent in apps. And there have been a growing number of mobile device users in healthcare. For example, recent figures show more than 50% of smartphone users gather health-related information on their phones, while 80% of physicians use smartphones and medical apps.
As we continue to increase or usage of mobile devices, we should be proactively safeguarding our devices and the information we access, create, share, and store.
Risks to Mobile Device and Protected Health Information (PHI)
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recognized mobile devices, including cell phones, tablets, and laptops, are increasingly found in many work environments including healthcare organizations. And while the use of mobile devices in the workplace can be convenient and productive, there are several potential risks with mobile devices that are used to create, receive, maintain, or transmit electronic PHI (ePHI).
Perhaps the most obvious risk is due to the size and portability of mobile devices. A lost or stolen device that is used to store or access ePHI that is not properly secured could trigger HIPAA breach notification obligations. According to OCR, if an entity does not permit the use of personal mobile devices for work activities, especially activities involving ePHI, policies should be in place and enforced that make such prohibitions clear. Entities permitting the use of personal mobile devices must include such devices in their enterprise-wide risk analysis and implement security measures sufficient to reduce those risks to a reasonable and appropriate level.
Just like a desktop computer, default settings of mobile devices may be unsecure. Therefore, it is important to ensure that your mobile devices are properly configured and secured, especially if the device will be allowed to create, receive, maintain, or transmit ePHI. It's important to understand it is dangerous using unsecure Wi-Fi networks, such as public Wi-Fi offered in airports and coffee shops, as well as unsecure cloud storage and file sharing services.
Additionally, mobile devices just like desktops may be infected with malicious software which could provide access to unauthorized individuals which could result in a breach of ePHI. Similarly, there are potential risks when using mobile apps or gams that could access your contacts, pictures, or other information on your mobile device. This information could be sent to an external entity without your knowledge.
Tips to help protect and secure PHI while using mobile devices
As part of their Mobile Devices and Protected Health Information (PHI) publication, OCR recommends the following tips to help protect and secure PHI while using mobile devices:
- Implement policies and procedures regarding the use of mobile devices in the work place especially when used to create, receive, maintain, or transmit ePHI.
- Consider using Mobile Device Management (MDM) software to manage and secure mobile devices.
- Install or enable automatic lock/logoff functionality.
- Require authentication to use or unlock mobile devices.
- Regularly install security patches and updates.
- Install or enable encryption, anti-virus/anti-malware software, and remote wipe capabilities.
- Use a privacy screen to prevent people close by from reading information on your screen.
- Use only secure Wi-Fi connections.
- Use a secure Virtual Private Network (VPN).
- Reduce risks posed by third-party apps by prohibiting the downloading of third-party apps, using whitelisting to allow installation of only approved apps, securely separating ePHI from apps, and verifying that apps only have the minimum necessary permissions required.
- Securely delete all PHI stored on a mobile device before discarding or reusing the mobile device.
- Include training on how to securely use mobile devices in workforce training programs
While October was National Security Awareness Month, we all need to be watchful and proactive to ensure our information is protected every day of the year.
If you have any question please contact us today by email: [email protected] or by phone: 855-427-0427.