According to Pew Research, 81% of Americans now own a smartphone, and many employers are implementing BYOD (Bring Your Own Device) policies, which allow workers to use their own devices to connect to the company intranet. This strategy allows the organization to leverage the productivity benefits of smartphones without the expense of buying and maintaining devices for their employees.
But is a BYOD policy a good idea for healthcare providers? Or, do smartphones jeopardize your HIPAA compliance and expose your systems and your company to greater risks?
Are Mobile Devices Allowed Under HIPAA?
The short answer is “yes.” The HHS isn’t so much concerned about where you store PHI (Protected Health Information) as it is in ensuring you protect it. Here’s an excerpt from their guidance on mobile devices:
Health care providers, other covered entities, and business associates may use mobile devices to access electronic protected health information (ePHI) in a cloud as long as appropriate physical, administrative, and technical safeguards are in place to protect the confidentiality, integrity, and availability of the ePHI on the mobile device and in the cloud, and appropriate BAAs are in place with any third party service providers for the device and/or the cloud that will have access to the e-PHI.
However, smartphones present a few challenges. Many of these challenges are intensified when the device is a personal one. Here are five of the most common issues providers will need to content with:
#1 Password Security – Forget strong passwords. Research from Kapersky Labs found that 52% of people don’t use a password at all on their mobile phones. That means a phone left behind at a coffee shop or on a bathroom counter for just a few minutes can be accessed by anyone. And remember, there doesn’t have to be malicious intent for exposure to constitute a HIPAA violation.
#2 Theft – The same research found that 78% don’t use anti-theft solutions that allow the user to quickly locate a stolen device, lock it down remotely, and wipe its memory. To make matters worse, your employees may not realize the risk a stolen personal device presents, so it could be months before you find out about a potential incident – if it ever gets reported at all.
#3 Email – Over half (57%) of survey respondents said they use their smartphones to check email. If their role requires/allows them to communicate with patients via email, this exacerbates the threat from lost or stolen devices.
Even if they (smartly) don’t communicate PHI over email, just checking email on the same device they use to access internal systems can be a problem. According to a Verizon study, email is the preferred vector for 92.4% of malware attacks. Phishing can lead to anything from credentials theft to ransomware and DDoS (distributed denial of service) attacks.
#4 Device upgrades – The average American upgrades their smartphone every couple of years, according to market research firm Kantar Worldpanel. Many of the older phones are swapped, sold, or thrown away without wiping them clean.
#5 Public Wifi – Unless your staff each has a mobile account with unlimited data, the temptation to use the public wifi at the local coffee shop is strong. This gives hackers pretty much free reign with unsecured devices.
Strategies for Smartphone Usage in Healthcare
In the age of mobile workers and technologies, forbidding smartphone usage for work-related tasks is pretty much futile. Even providing your employees with company-owned devices may not do the trick as people often prefer to use their own. As someone once described it to me, “It’s like I can drive my own car, or I can drive an economy rental car. The company car doesn’t work as well as my own, and nothing’s where I expect it to be.”
10 Smart Ways to Keep Smartphones from Compromising PHI
Here are actions you can take to protect employee-owned devices from becoming major threats to your security and HIPAA compliance. Of course, most of these strategies also apply to company-owned devices and are a little easier to implement in that scenario.
1/ Conduct regular employee training. This isn’t the solution to the problem, but it’s the first brick in the foundation. Your employees need to understand the security-threat landscape and how they can help avoid the greatest risks. Perhaps in no other industry is this more vital than in healthcare.
2/ Establish a smartphone help desk. Some people are technophiles, devouring every new feature as soon as it’s available. Others use only a fraction of what their phone has to offer. It’s this latter group that often creates the most significant risk because they may not know how to do something as simple as set a password on their phone.
A free help desk where they can get assistance for their personal or company-owned devices in a comfortable and non-judgmental environment can help you plug security holes. While your help desk staff provides assistance, they can proactively look for other potential security risks, such as well-known malware apps.
3/ Make sure all devices are equipped with finder/lockdown/erase apps. Most of the major phone developers provide native apps that can be used to locate a lost or stolen smartphone, lock it down, and even erase its contents. However, there are conditions that need to be met for these to function, e.g., location services will need to be turned on.
Instructions on how to use these apps should be covered in your employee training. In addition, this is another IT security element your help desk personnel can assist with during their day-to-day employee interactions.
4/ Encourage No-Fault Reporting of Incidents. It’s tempting for an employee to think they just misplaced their phone and it’ll turn up eventually. But, every minute that lost or stolen phone goes unreported is another minute in which malicious actors may have access to your patients’ PHI. When a device used to access workplace systems has been lost or stolen, you need to know about it immediately.
5/ Install personal VPNs. A VPN, or Virtual Private Network, can help ensure security when employees use their connected devices at a public hotspot like a coffee shop, hotel, or airport. These VPNs hide IP addresses so hackers don’t gain access to them, and more advanced VPNs can be used to encrypt data.
6/ Encrypt data. This is essential to preventing data theft should the employee’s smartphone be breached, lost, or stolen. This is true of other mobile devices such as laptops as well, but smartphones pose an extra security risk because they have a voice as well as a data channel. If your employees are sharing private information verbally over their smartphone, you’ll want to invest in an encryption app that also encrypts the voice channel.
7/ Help them keep their smartphone OS up to date. Yes, updating a smartphone’s OS can be a hassle, but almost every update has at least one new security feature or addresses a vulnerability. Make sure employees understand the importance of these updates. If you offer help desk services, use that time to check OS versions.
8/ Monitor for unknown devices. If employees want to use their own devices to connect to your systems, consider authorizing them ahead of time. In addition to “registering” the device on the network, you can use this preauthorization to check for many of the precautions we already mentioned: OS version, VPNs installed, encryption, etc. Then, when an unauthorized IP address tries to connect, you can prevent access.
You should also monitor for known IP addresses accessing your systems with unusual patterns. Hackers can steal IP addresses (see the Public WiFi risks) and use them to appear legitimate. If your St. Louis-based home-care nurse is suddenly trying to access your systems from Bangladesh, you might have a problem.
9/ Install firewall and anti-malware protection. Firewalls act as a barrier to malicious incoming traffic, and anti-malware protection can help identify and remove malware from your devices. There are smartphone-specific versions of both of these types of applications. Make sure they are installed on all authorized and company-owned devices.
10/ Keep applications up to date. If you’ve installed a mobile healthcare app on your devices, be sure to keep these up to date as well. Developers will often come out with new versions to address specific vulnerabilities.
A Preventative Approach
Smartphones and mobile devices make HIPAA compliance even more complex, but as the industry and technology evolves, healthcare providers may not have much choice. Your PHI will be accessed by mobile devices, whether you try to avoid them or not. Creating a mobile device strategy ahead of time can help you manage these devices on your terms.
Connectria provides HIPAA compliant hosting and managed services for a wide range of business types, including healthcare providers and developers of SaaS solutions for the healthcare industry. To learn more about us, visit us on the web or reach out to us directly.