We’ve said it before: The Office for Civil Rights (OCR) has no sympathy for healthcare organizations that violate HIPAA. Large fines may be shocking, but the government is very serious about securing the protected health information (PHI) of Americans.
In June of 2018, a judge ruled that the University of Texas MD Anderson Cancer Center violated HIPAA privacy and security rules and required it to pay a $4.3 million fine. OCR had investigated the organization after three separate data breach reports involving the theft of an unencrypted laptop and the loss of two unencrypted flash drives containing the PHI of over 35,500 people.
That $4.3 million fine reflects the critical importance of cybersecurity to healthcare organizations — and the perils of not taking proper precautions to mitigate risk. Yet a full 25% of healthcare organizations experienced a mobile device-related breach in 2018.
The rise of smartphones
The use of mobile devices in healthcare is a growing topic of concern. But among the more typical laptops is another huge technology that’s proving to cause issues: smartphones. Medical staff use their smartphones to check their schedules, share lab results, consult on cases and more — meaning that PHI is most likely being stored and transmitted in an unsecure, unencrypted manner.
That creates a risk that PHI could be exposed if the phone is lost or stolen, or if wireless transmissions are intercepted.
But smartphones are useful for their anywhere, anytime accessibility; their ease of portability (compared to large, heavy laptops); and their versatility. They aren’t going away anytime soon, and healthcare organizations should take great care before they consider something like a smartphone ban. There are other ways to help ensure robust security. We cover five ways below:
1. Layer security
When you think about smartphone security, you probably think about the entry controls: the passcode, thumbprint or facial recognition required to access the phone. But any security measure can be overcome with time and effort, so adding “defense in depth” controls is necessary.
In addition to having the entry authentication controls, we recommend adding complementary controls such as device encryption, a failed-attempt lockout, an inactivity timeout, and multi-factor authentication into email and other applications used for work purposes.
OCR has been making it clear for years that not encrypting mobile devices and portable media that contain PHI is unacceptable. Just because the smartphones are your employees’ personal property isn’t going to get you off the hook. That just makes it even more important to dictate the necessary amount of security.
2. Create policies and procedures
There are a variety of options healthcare organizations have to enforce security. Such options must be documented under policies, such as an asset management policy, mobile device management policy or personal device in the workplace policy. Ideally those policies would be co-authored by security and privacy officers.
Asset management policies account for all the assets in a healthcare organization that could have PHI on them. This includes portable media such as flash drives, as well as mobile devices such as laptops and smartphones. It should even include copy machines and medical devices. HIPAA requires healthcare organizations to track the movement of all PHI, so an asset management policy tracks which employee uses their smartphone for work purposes. If this employee quits or is terminated, you can take steps to remove the PHI.
Wipfli encourages clients to look at acquiring a mobile device management application. These apps not only track who is using a smartphone for work purposes but also enforces critical controls and can provide the ability to remotely wipe the device of business information without user/owner assistance. Other controls such as passwords, encryption and multifactor authentication can be automatically enforced on a phone before allowing access to work email. And if an employee refuses to put the security app on their phone or deletes it, they will be unable to access internal business applications such as email from their phone.
Requiring the use of such an app would be documented via policy, as would other security controls such as training, encryption and acceptable use.
3. Implement consistent training and education
The most important thing about security education, training and awareness is that it must be ongoing — not a one-time event or an annual occurrence. The growing threat of cybercrime and the targeting of healthcare organizations makes repeated training efforts necessary to reinforce security’s importance, as well as the responsibilities employees have to uphold it.
Training should also focus on the audience and their roles and responsibilities within the organization, meaning cybersecurity training for healthcare organizations would certainly need to cover the unique risks associated with smartphones and what security precautions should be taken.
It’s also a good idea to have employees sign an agreement that outlines security expectations so that they officially acknowledge their responsibilities. This, too, must be ongoing. Having agreements re-signed annually reinforces what those responsibilities are and how to fulfill them.
4. Encrypt devices
We mentioned earlier how OCR considers encrypting mobile devices and portable media essential.
It used to be organizations had many excuses to avoid doing so. Encryption was too complicated to implement, too expensive or it slowed down the device or application’s performance.
But not anymore. These days, encryption is cheap and easy, and it doesn’t negatively affect performance. Third-party applications can easily encrypt data-in-transit (e.g., email, FTP, texting and instant messaging), which is becoming increasingly important as healthcare moves further along with telemedicine.
5. Consider important questions
Smartphone security isn’t just a technology or security issue. On the HR and legal sides, different questions must be addressed by an organization. Who owns the data on a personal smartphone that’s being used for work purposes? How can employers control the work-related data on that phone? What can and cannot be accessed via the internet by employees because of the risk of malicious software getting downloaded onto the phone and compromising PHI? What leverage do employers have to enforce penalties for violations?
There are also hourly employees to consider. If they check their email on their phones outside of normal work hours, do they get compensated?
All these questions about ownership, data, acceptable use and more must be thoughtfully considered, answered and documented.
How Wipfli can help
As a healthcare organization, your responsibilities for security and the threats you’re facing are both greater than ever. We covered five comprehensive ways to ensure more robust security around smartphones at your organization, but we recognize that implementing those strategies can come with challenges.
At Wipfli, we provide clients with strategic information security and risk management services to meet regulatory compliance objectives, improve the security of PHI, and mitigate overall security risk. Contact us to learn how we can assist your organization with cyber/information security or learn more from our cyber security web page or our HIPAA compliance page.
Or learn more reading:
4 budget-conscious healthcare security tools
6 ways to increase cyber security in healthcare
Wipfli’s cyber solutions for healthcare (download PDF)