Health care organizations of all types, including home health care providers, hospice and others, are increasingly using mobile devices – apps on tablets and smart phones – to improve operational efficiencies and patient health outcomes, access clinical information, enhance staff communications, and serve as an additional educational resource. However, although many health care organizations claim to have a fully implemented mobile strategy, almost all also claim to have concerns over the security of their mobile applications, with end-to-end HIPAA (Health Insurance Portability and Accountability Act) compliance as their greatest security concern.
HIPAA was enacted in 1996 in order to protect patients/individuals’ medical records and other personal health information (PHI). Today, after 21 years since HIPAA was enacted, covered entities and their business associates face the very real challenge of keeping protected health information private, and out of the hands of those who wish to exploit it – made even more vulnerable with the use of mobile technology in the health care industry. Maintaining the confidentiality and privacy of patient information should be the number-one priority for all health care organizations, as a failure to do so can result in civil penalties up to $1.5 million, criminal penalties, and considerable reputational damage.
The concern over the security of the use of mobile apps is indeed a valid one: According to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), mobile devices are commonly involved in data breaches. Between January 2015 and the end of October 2017, a total of 71 data breaches have been reported to the OCR that have involved mobile devices such as laptops, smartphones, tablets, and portable storage devices.
Managing Mobile in Today’s Health Care Setting
Every organization should carefully consider how the use of its mobile devices affects the risk to PHI. This assessment will help to determine the steps needed to adequately protect an organization from potential threats. Following are several tips, courtesy of the OCR, to help health care organizations reduce their mobile security risks:
- Create a log of all mobile devices being used (as well those used in the past) and detail the type of information being accessed, received, stored and transmitted on these devices.
- Implement policies and procedures regarding the use of mobile devices in the work place especially when used to create, receive, maintain, or transmit PHI.
- Consider using Mobile Device Management (MDM) software to manage and secure mobile devices.
- Install or enable automatic lock/logoff functionality.
- Use strong passwords, PINs or other forms of user authentication and ensure they are routinely updated.
- Implement user authentication controls and use two-factor authentication (or multi-factor authentication) whenever possible.
- Regularly install security patches and updates.
- Install or enable encryption, anti-virus/anti-malware software, and remote wipe capabilities.
- Use a privacy screen to prevent people close by from reading information on the screen.
- Use only secure Wi-Fi connections.
- Use a secure Virtual Private Network (VPN).
- Reduce risks posed by third-party apps by prohibiting the downloading of third-party apps, using “whitelisting” to allow installation of only approved apps, securely separating PHI from apps, and verifying that apps only have the minimum necessary permissions required.
- Securely delete all PHI stored on a mobile device before discarding or reusing the mobile device.
- Include regular training on how to securely use mobile devices in workforce training programs.
Also important in a home health care organization’s security strategy is having the right insurance program in place should a loss occur. This includes carrying Cyber Liability insurance with coverage that helps an organization mitigate risk exposure by offsetting costs involved with recovery after a cyber-related security breach or similar event.. Manchester Specialty provides home health care providers, hospice organizations, Visiting Nurse Associations (VNAs) and miscellaneous medical facilities with a suite of insurance products including Cyber coverage. For more information about our programs and coverages, you or your local insurance agent can contact us today at toll free 1-855-972-9399.