It’s estimated that 74 percent of hospital workers use tablets or other mobile devices to collect and share information about patients.1 And although smartphones and other mobile devices can provide many benefits in the healthcare setting, using them also presents a number of risks.
Unless they are used safely, electronic Protected Health Information (ePHI) can be exposed, and malware and viruses can enter a facility’s IT network. Without adequate safeguards in place, this can lead to costly HIPAA violations.
Hospitals, medical clinics and healthcare entities must comply with HIPAA Privacy and Security Rules to protect and secure patients’ information, even when using mobile devices like a smartphone.
Banning smartphones isn’t the answer. When a patient is in pain, every minute counts. If there isn’t an order for pain medication in the patient’s record, a nurse must consult with their physician. In this instance, using a mobile phone can speed up the process. However, this, and other smartphone communications must be handled in a secure manner to protect the healthcare facility’s IT systems, and safeguard patient privacy.
Smartphone Data Breaches and HIPAA/HITECH
CIOs and technology professionals in healthcare facilities are concerned that the increase in smartphone usage increases the chances of security breaches where ePHI is revealed. The HIPAA Privacy Rule mandates that covered entities “reasonably safeguard” PHI from any intentional or unintentional use or disclosure that is in violation of the rule’s standards. It also outlines provisions for ensuring the confidentiality, integrity, and availability of PHI that is transferred or held in electronic form.
Covered entities include not only healthcare facilities but individual providers.
The HIPAA Security Rule outlines provisions for ensuring the confidentiality, integrity, and availability of PHI that is transferred or held in electronic form.
HIPAA concerns include:
Data breaches involving patient information can lead to costly fines and settlements–and even criminal penalties. And the health information privacy laws and regulations in some states are even more extensive than federal HIPAA regulations.
Under the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, breaches of unsecured PHI must be reported to the affected individual, to the U.S. Secretary of Health and Human Services, and in certain cases, to the media. Both HIPAA and HITECH emphasize the importance of privacy and security with the use of ePHI when using smartphones and mobile devices.
Improper Smartphone Use Can Spread Viruses and Malware.
“Security of Mobile Computing Devices in the Healthcare Environment,” (by the HIMSS Mobile Security Work Group) warned that “as the popularity of mobile computing devices increases, so too does the possibility that someone will create malware that is intended to impact its use or compromise patient data.”
When used in a healthcare (or any) environment, smartphones should be routinely updated with the latest antivirus software and malware protection. This is not always an easy task and should be handled by a certified, IT expert (Managed Service Provider).
And because caregivers and providers are the first lines of defense, they must undergo Security Awareness Training to be educated about unsafe practices, such as opening suspicious attachments or clicking on questionable links.
Without a clear understanding regarding safety when using smartphones, and the potential negative effects (security breaches), users may ignore a healthcare facility’s security policies. This emphasizes the need for user education about the risks and consequences of not following security policies.
10 Steps Healthcare Facilities Should Take to Ensure Data Security When Employees Use Smartphones:
*There are a number of ways to encrypt data in transit. Two include using a virtual private network (VPN) or a secure browser connection. The National Institute of Standards and Technology (NIST) has several Special Publications regarding encryption processes for data in motion, including SP 800-52 [PDF – 3.2 MB] and SP 800-77 [PDF – 255 KB]. SP 800-52 has information about transport layer security (TLS). (Contact your IT Managed Service Provider for more information.)
Mobile Device Management
Some mobile devices have a remote disabling and wiping feature built in. Remote wiping is a security feature that enables you to remotely erase the data on your smartphone if it’s lost or stolen. When you enable it, you have the ability to permanently delete data stored on your phone.
When using smartphones in a healthcare setting, it’s imperative that your IT Provider implements and deploys a professional Mobile Device Management (MDM) Solution.
A Professional MDM Solution Protects ePHI with:
As you can see, using smartphones always presents a number of risks, especially in a healthcare environment. And, unless you adequately safeguard patient data stored or in transit, unauthorized access to the healthcare facility’s systems could occur leading to ePHI breaches and HIPAA/HITECH violations. Executives and administrators should take necessary steps to prevent this by working with IT professionals who are certified in the latest security solutions.