Invasion of Smart Phones in Clinical AreasChrissy KyakPrivacy OfficerUniversity of Maryland Upper Chesapeake Health

Personal Mobile Device Use in a Clinical Setting

Many hospitals and health care providers are struggling with what to do about employees and their use of mobile devices in the workplace What is our organization’s position on Bring

Your Own Device or “BYOD” Do you have a policy that speaks to whether

the organization allows use of personal devices Does HIPAA allow the use of personal devices

to transmit or store PHI?

Mobile Devices and Protected Health Information What does the law say about mobile devices? There is nothing in HIPAA that states that it is not

permissible to use a personal device to transmit patient information, however, the HIPAA Security Rule is clear that patient information must be protected and used securely by a covered entity, “whether at rest, in use, or in transmission.” The problem:

Who owns the phone or portable device and how can a covered entity enforce proper security on the

device if they don’t own it?

Common conversations regarding mobile devices

Common Feedback Response

“Our phones on the unit are so outdated. They break, they aren’t efficient, and they are three times the size of my cell phone. I can use my cell to text and don’t have to use number keys to text docs. . . It’s so much faster.”

What does your policy regarding mobile devices state?Do you have a policy?Are you texting PHI? If so, you may be putting patient information at risk. Remember, your service provider for your personal phone regularly backs up your phone in a cloud storage environment – this storage is not secured

“I don’t want to carry around more than one phone – why can’t I just use my personal cell phone?”

Newer cell phones have encryption features, but older models may not. Encryption is often not turned on by a person, because they are unaware that the feature exists

Common Feedback Response“If I need to text a doctor information about a patient, it’s no different than calling the doctor. “

Texting and phone calls are two very different modes of communication with very different levels of risk. When you text anything from a mobile device that does not have appropriate security, the information is stored electronically in your phone’s cloud storage

“I’m under a lot of pressure to treat patients quickly . . . It’s just easier to text other docs and nurses when I need to tell them something. Maybe the hospital should look into purchasing us better technology.”

While convenience may be tempting, fines for HIPAA Security violations have jumped from $50,000 to $1.5 million in the last year. Most of the fines given by the Office of Civil Rights involve Security Rule violations and PHI that was discovered on the internet unsecured

“I told our IT Department that I was using my mobile phone to text, and they said that they wanted me to give them rights to my device so that they can wipe it if it gets lost or stolen. I don’t think I want to give them this right. It’s my device.”

It may be your device, but if you are texting PHI, it’s the organization’s patient information. You are putting the organization at risk if the device is lost or stolen and you don’t report it. In order to use your device, there are tradeoffs so that information can be safeguarded

Coming up with a Position on Use of

Smartphones in Your Organization

Use of Smartphones: Many organization are aware that

employees in clinical areas are using their personal mobile device to communicate information regarding their patients but are they dealing with the issue?

Pretending like the issue doesn’t exist can cost your organization

Steps to Compliance Does your organization have a mobile

device policy? What is your organization’s position Is your organization willing to support a

BYOD culture? Do you know who your organization’s

Privacy & Security officers are if you have questions regarding BYOD?

Are you training your employees on what your organizational position is?

Does your organization use a Virtual Private Network or “VPN?”

A VPN is a way for employees to securely enter the network and work remotely in a secure environment

This allows employees to Text securely Access patient information securely Email securely

Steps to Compliance

Understand what can put a patient’s information at riskThere are risks that many don’t think of when we talk about mobile devices:

Device gets lost – is the employee reporting the loss to their employer, even if the phone belongs to the employee

Devices can be stolen – is your IT department enforcing wiping capabilities on personal smart phones in the event they are lost or stolen?

Is the employee’s phone password protected? You would be surprised to know how many people do not have passwords on their phone

Depending on the type of device, malware and viruses are a potential threat that can be introduced into the workplace

Do your employees understand that using a “free wifi” service when outside of work is dangerous and can expose any PHI on their device to potential theft or loss?

Simple steps for each employee to take to help their organization achieve compliance

Step 1: Use a password or other user authentication method

Authentication is the process of verifying the identity of a user

Mobile devices can be configured to require a password, PIN or passcode to gain access

If an unauthorized user attempts to gain access and doesn’t have the right password or PIN, mobile devices can activate screen locking to disallow any more attempts to gain access to the device

Step 2: Install and enable encryption

Encryption protects health information stored and sent by mobile devices

Mobile devices often have built-in encryption that can be activated or encryption can be purchased for a device

Find out what your organization’s encryption capabilities are and if they offer encryption for a personal device

Step 3: Install and activate remote wiping and/or remote disabling Remote wiping enables you to erase

data on a mobile device remotely. This can permanently delete date stored on a lost or stolen mobile device

Remote disabling enables you to lock your device until it is recovered

Step 4: Disable and do not install or use file sharing applications File sharing is software or a system that

allows Internet users to connect to each other and trade computer files

But file sharing can also enable unauthorized users to access your laptop, handheld device or phone without your knowledge

By disabling or not using file sharing applications, you reduce a known risk to data on your mobile device

Step 5. Install and enable a firewall

A personal firewall on a mobile device can protect against unauthorized connections

Firewalls intercept incoming and outgoing connection attempts and block or permit them based on a set of rules

Step 6. Install and enable security software

Security software can be installed to protect against malicious applications, viruses, spyware, and malware-based attacks

Step 7. Keep your security software up to date

When you regularly update your security software

You have the latest tools to prevent unauthorized access to health information on or through your mobile device

Step 8: Research mobile applications (apps) before downloading

A mobile app is a software program that performs one or more specific functions

Before you download and install an app on your mobile device, verify that the app will perform only functions you approve of – not sure if the app is ok? Ask your IT Department

Use known websites or other trusted sources that you know will give reputable reviews of the app

Step 9. Maintain physical control

The benefits of mobile devices - portability, small size, and convenience . . . these are also their challenges for protecting and securing health information

Mobile devices are easily lost or stolen There is also a risk of unauthorized use and

disclosure of patient health information You can limit an unauthorized users’ access,

tampering or theft of your mobile device when you physically secure the device

Step 10. Use adequate security to send or receive health information over public Wi-Fi networks

Public Wi-Fi networks are so tempting to use because, of course, they are free

But, they can be an easy way for unauthorized users to intercept information

You can protect and secure health information by not sending or receiving it when connected to a public Wi-Fi network, unless you use secure, encrypted connections

Step 11. Delete all stored health information before discarding or reusing the mobile device

When you use software tools that thoroughly delete (or wipe) data stored on a mobile device before discarding or reusing the device, you can protect and secure health information from unauthorized access

HHS OCR has issued guidance that discusses the proper steps to take to remove health information and other sensitive data stored on your mobile device before you dispose or reuse the device

Unsure how to make sure your device is sufficiently wiped when you get a new device? Ask you IT Department for help!

Questions?