Over the last few years, cell phones have become computers, capable of much of the functionality that your office computer has. This is also true for small portable devices such as iPads, Windows and Android tablets. Are these devices and applications as secure as those you use from your clinic? In most cases, the answer is no.
The applications used on these devices are primarily downloaded and installed by the Apple App store or the Android Google Play store. While your EMR provider or clinic application provider may furnish them through a different mechanism, they are all being used on the device using the same storage and memory and therefore all applications are vulnerable, especially the applications that synch to your systems that contain ePHI. Mobile applications have become one of the hackers leading vectors to exploit. Research suggests that up to 90 percent of Smartphones and tablets have been hacked. This can result in a loss of reputation and business revenue.
Medical practices usually don’t give portable computing devices the same focus on security as they do with office computers. Security for these devices should always meet or exceed the same HIPAA guidelines you use for workstations and notebooks.
How to secure your mobile devices:
- Make sure anti-virus/malware protection is installed. Most vendors offer the same application for these devices that are used for workstations and notebooks. If you allow employees to use their personal devices for business, they should use the same anti-virus/malware protection that the clinic utilizes.
- If a mobile device has clinic based applications or has access to clinic email, then staff should be educated on what Wi-Fi is secure and to only utilize those devices over secure connections. Most publicly available Wi-Fi is not secure. When Wi-Fi is not needed, it should be turned off on the device.
- Encrypt the device. Most all portable devices have a setting that allows this to be implemented.
- Make sure the installed applications and the devices software are frequently updated.
- If company email or applications are being used on personal devices, make sure that your IT has the ability to wipe the data in the event the employee leaves the company. This is known as Remote Data Wipe.
- If the devices are used for text messaging (SMS) and there is any risk of ePHI being transmitted, implement a secure text messaging application so the data is encrypted. By default most SMS applications send the messages in an insecure manner.
- All portable devices whether company or personally owned that are used for business purposes should be included in your annual risk assessment.
Take advantage of the articles that have been published regarding portable device security in a company that must meet HIPAA guidelines. The HIPAA Journal is a good source for this information. Integrated Solutions is able to assist you with a security roadmap.