2
Legal Column Mobile devices: Technology aiddsecurity risk Donna J. Senft, PT, JD * Ober, Kaler, Grimes and Shriver,120 East Baltimore Street, Baltimore, MD 21202, United States Early this year, the U.S. Department of Health & Human Services (HHS) entered into a Resolution Agreement with the Hospice of North Idaho for an alleged violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule in which the breach involved the electronic Protected Health Infor- mation (ePHI) of 441 patients. This was the rst HHS settlement based on a violation that involved less than 500 patients. The ePHI was stored on an unencrypted laptop that was stolen. An investi- gation by the HHS Ofce for Civil Rights ensued following the hospice providers required breach report. 1 Critical to its analysis of how to respond to the breach were ndings that the hospice provider: Failed to conduct a risk analysis to safeguard the ePHI stored on its laptops, and Failed to implement company policies to address mobile device security. 2 The lack of implementing processes to address the risks posed by mobile electronic devices was even more of a concern since the hospice routinely provided laptops to its clinicians for eld work. This settlement is an important reminder that enforcement activ- ities are not limited to large data breaches. Whether you utilize a workplace mobile device (such as a laptop equipped with elec- tronic medical records software) or a personal mobile device (used to text message or e-mail colleagues about a patients status, etc.), security measures should be taken to minimize the risk of unau- thorized access to ePHI. The Ofce of Civil Rights (OCR) in conjunction with the Ofce of the National Coordinator for Health Information Technology (ONC) recently launched an educational initiative, Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information, offering health care providers practical tips on ways to protect patientshealth information. 3 OCR and ONC suggest the following measures to ensure that ePHI is secure when using mobile devices such as laptops, tablets, and smartphones. URequire the use of a password or other user authentication to access the mobile device. Further security can be provided by activating a screen locking mechanism requiring re-entry of the password or user authentication after a designated period of inactive use. U Ensure that the device has encryption capabilities or install an encryption tool on your mobile device. Encryption renders data unusable, unreadable, and undecipherable to unauthorized individuals. UActivate or install remote wiping and/or remote disabling. Remote wiping allows an individual to permanently erase all data stored on a mobile device remotely, such as when the device is stolen. Remote disabling allows an individual to remotely lock data stored on a mobile device, such as when the device has been lost. With remote disabling, if the mobile device is later recovered you can unlock it to reaccess data. UDisable or refrain from using le-sharing applications or software. File sharing is designed to allow Internet users to * Tel.: þ1 410 347 7336. E-mail address: [email protected]. 1 Under the Health Information Technology for Economic and Clinical Health (HITECH) law, covered entities are required to report any impermissible use or improper disclosure of PHI. For a breachof PHI or ePHI involving 500 or more individuals, the covered entity must report a breach to the HHS Secretary and the media within 60 days after discovering the breach. For a breach of PHI or ePHI affecting less than 500 individuals, a covered entity must report the breach in an annual report to the HHS Secretary. 2 For additional information and to review the Resolution Agreement which included payment of $50,000 and a requirement to comply with a Corrective Action Plan, refer to the HHS website at: http://www.hhs.gov/ocr/privacy/hipaa/ enforcement/examples/honi-agreement.html. Howard L. Sollins Donna J. Senft Susan A. Turner 3 Access this educational initiative on the Internet at: www.HealthIT.gov/ mobiledevices. Contents lists available at SciVerse ScienceDirect Geriatric Nursing journal homepage: www.gnjournal.com 0197-4572/$ e see front matter Ó 2013 Mosby, Inc. All rights reserved. http://dx.doi.org/10.1016/j.gerinurse.2013.02.005 Geriatric Nursing 34 (2013) 149e150

Mobile devices: Technology aid—security risk

  • Upload
    donna-j

  • View
    218

  • Download
    0

Embed Size (px)

Citation preview

at SciVerse ScienceDirect

Geriatric Nursing 34 (2013) 149e150

Contents lists available

Geriatric Nursing

journal homepage: www.gnjournal .com

Legal Column

Howard L. Sollins Donna J. Senft Susan A. Turner

Mobile devices: Technology aiddsecurity risk

Donna J. Senft, PT, JD *

Ober, Kaler, Grimes and Shriver, 120 East Baltimore Street, Baltimore, MD 21202, United States

Early this year, the U.S. Department of Health & Human Services(HHS) entered into a Resolution Agreement with the Hospice ofNorth Idaho for an alleged violation of the Health InsurancePortability and Accountability Act of 1996 (HIPAA) Security Rule inwhich the breach involved the electronic Protected Health Infor-mation (ePHI) of 441 patients. This was the first HHS settlementbased on a violation that involved less than 500 patients. The ePHIwas stored on an unencrypted laptop that was stolen. An investi-gation by the HHS Office for Civil Rights ensued following thehospice provider’s required breach report.1 Critical to its analysis ofhow to respond to the breach were findings that the hospiceprovider:

� Failed to conduct a risk analysis to safeguard the ePHI stored onits laptops, and

� Failed to implement company policies to address mobiledevice security.2

The lack of implementing processes to address the risks posedby mobile electronic devices was even more of a concern since thehospice routinely provided laptops to its clinicians for field work.This settlement is an important reminder that enforcement activ-ities are not limited to large data breaches. Whether you utilize

* Tel.: þ1 410 347 7336.E-mail address: [email protected].

1 Under the Health Information Technology for Economic and Clinical Health(HITECH) law, covered entities are required to report any impermissible use orimproper disclosure of PHI. For a “breach” of PHI or ePHI involving 500 or moreindividuals, the covered entity must report a breach to the HHS Secretary and themedia within 60 days after discovering the breach. For a breach of PHI or ePHIaffecting less than 500 individuals, a covered entity must report the breach in anannual report to the HHS Secretary.

2 For additional information and to review the Resolution Agreement whichincluded payment of $50,000 and a requirement to comply with a Corrective ActionPlan, refer to the HHS website at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/honi-agreement.html.

0197-4572/$ e see front matter � 2013 Mosby, Inc. All rights reserved.http://dx.doi.org/10.1016/j.gerinurse.2013.02.005

a workplace mobile device (such as a laptop equipped with elec-tronic medical records software) or a personal mobile device (usedto text message or e-mail colleagues about a patient’s status, etc.),security measures should be taken to minimize the risk of unau-thorized access to ePHI.

The Office of Civil Rights (OCR) in conjunction with the Office ofthe National Coordinator for Health Information Technology (ONC)recently launched an educational initiative, Mobile Devices: Knowthe RISKS. Take the STEPS. PROTECT and SECURE Health Information,offering health care providers practical tips on ways to protectpatients’ health information.3 OCR and ONC suggest the followingmeasures to ensure that ePHI is secure when using mobile devicessuch as laptops, tablets, and smartphones.

URequire the use of a password or other user authentication toaccess the mobile device. Further security can be provided byactivating a screen locking mechanism requiring re-entry of thepassword or user authentication after a designated period ofinactive use.U Ensure that the device has encryption capabilities or install anencryption tool on your mobile device. Encryption renders dataunusable, unreadable, and undecipherable to unauthorizedindividuals.UActivate or install remote wiping and/or remote disabling.Remote wiping allows an individual to permanently erase alldata stored on a mobile device remotely, such as when thedevice is stolen. Remote disabling allows an individual toremotely lock data stored on a mobile device, such as when thedevice has been lost. With remote disabling, if the mobile deviceis later recovered you can unlock it to reaccess data.UDisable or refrain from using file-sharing applications orsoftware. File sharing is designed to allow Internet users to

3 Access this educational initiative on the Internet at: www.HealthIT.gov/mobiledevices.

D.J. Senft / Geriatric Nursing 34 (2013) 149e150150

connect and share or trade computer files. Enabled file sharingcould provide unauthorized users access to your mobile devicewithout your knowledge.UEnable or install a personal firewall on your mobile device. Apersonal firewall can protect against unauthorized connectionsby intercepting incoming and outgoing connection attemptsand blocking or permitting the connection based on an estab-lished predetermined set of rules.UEnable or install security software to block malicious softwaredesigned to disable or corrupt the mobile device and block ordestroy access to stored data. Malicious software is frequentlybrought into a mobile device through e-mail attachments,accessing certain websites, or downloading programs from theInternet. Take care to ensure that you do not open e-mailattachments, access websites, or download programs fromsenders or sources that you do not know or trust.UUpdate security software when it is available. Select automatedupdate options or vendor notification options when usingsecurity software. Install updates as soon as you receive notifi-cation of the availability of an update, rather than selecting the“remind me later” option available with many software products.UDownload and install apps from reliable sources. Although appscan provide useful functions, be sure that the software is froma known website or base your decision to utilize an app ona reputable review from a trusted source.

UMaintain physical control of your mobile device at all times. Thesize and portability make mobile devices convenient for con-ducting business, but these same features make it more chal-lenging to protect the device from loss or theft.UUse adequate controls when using a non-secured Wi-Fi networkor hotspot. Without using a securedWi-Fi network there is a riskthat communications will be intercepted. Mobile devices can beequipped with a virtual private network (VPN) that encryptscommunications even when using a non-secured Wi-Ficonnection. Alternatively, use a secure web browser connectionto protect data being transmitted.UDelete all stored ePHI before discarding your mobile device. Besure to thoroughly delete or wipe all data stored on a mobiledevice before discarding the device. This can be accomplishedby using software to overwrite the data, or devices that purge ordestroy the data.

A significant number of the data breaches reported to OCR eachyear arise from lost or stolenmobile devices. With increasing accessto unsecured Wi-Fi networks, file sharing, and other conveniencefeature, security is of an even greater concern as breaches couldoccur while the mobile device is in your possession. Take thenecessary steps to avoid having a reportable breach from your useof a mobile device or from the unauthorized access to data storedon your device.