These days more and more mobile devices and Internet of Things (IoT) type devices are being used by healthcare professionals to assist in patient care. These devices are more powerful and hold more information than ever before and pose greater risks to the security of your organization.
Covered Entities (CEs) and Business Associates (BAs), who use these devices to create, receive, maintain, or transmit electronic protected health information (ePHI) and must include them in their enterprise-wide risk analysis and take action(s) to reduce risks identified to a reasonable and appropriate level, 45 C.F.R. § 164.308(a)(1)(ii)(A)–(B).
Mobile devices including laptop computers, handhelds, smartphones, and portable storage media have opened a world of opportunities to unlock Electronic Health Records (EHRs) from the desktop. But these opportunities also present threats to privacy and security of your patients’ information.
Some of these threats overlap those of the desktop world, but others are unique to mobile devices.
Here are five steps your organization can take to help manage mobile devices in your healthcare organization:
- Decide whether mobile devices will be used to access, receive, transmit, or store patients’ PHI or be used as part of your organization’s internal network or systems, such as an EHR system. Understand the risks to your organization before you decide to allow the use of mobile devices.
- Consider the risks when using mobile devices to transmit the PHI your organization holds. Conduct a risk analysis to identify threats and vulnerabilities.
- Identify a mobile device risk management strategy, including privacy and security safeguards. A risk management strategy will help your organization develop and implement mobile device safeguards to reduce risks identified in your risk analysis, including an evaluation and regular maintenance of the mobile device safeguards you put in place.
- Develop, document, and implement your organization’s mobile device policies and procedures to safeguard health information.
Some topics to consider when developing mobile device policies and procedures are:
• Bring Your Own Device (BYOD)
• Mobile Device Registration
• Mobile Device Information Storage
• Backup Information Stored on Mobile Devices
• Remote Wiping and/or Disabling
Conduct mobile device privacy and security awareness and ongoing training for providers and professionals.
Many handheld devices can be configured with password protection, and these protections should be enabled when available. Not all mobile devices are equipped with strong authentication and access controls. Extra steps may be necessary to secure mobile devices from unauthorized use. If password protection is not provided, additional steps must be taken to protect electronic health information on the handheld, including extra precaution over the physical control of the device.
Covered Entities and Business Associates need to understand patients are entrusting YOU with their most private and intimate details, they expect it to remain secure.
Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?
Don’t know where or how to start or update your HIPAA security compliance program? Let’s chat about your compliance program – schedule a call with HIPAA alli today!