Ask Joy: This Week – A Strategic Approach to Security
You say you’re HIPAA compliant, but have you documented your practice’s technical safeguards for mobile devices? This week’s questions comes in from a practice trying to tackle smartphone security.
Many of our practice staff use iPhones or iPads which inevitably end up having protected health information (PHI) on them. How can we make sure that their personal devices are HIPAA compliant and secure so that in the case someone’s device goes missing or gets stolen, we don’t have to report a data breach?
While you may not be able to fully manage your staff’s personal gadgetry, you can certainly have policies in place to protect PHI on their mobile devices. When you’ve invested so much time and energy making sure your practice is HIPAA compliant, it would be a shame to have it all be in vain just because someone on your staff lost their phone or had it stolen.
A strategic approach to earn you safe harbor from the HIPAA Breach Notification Rule would be to be increasingly vigilant in protecting any mobile device that may have protected health information on it.
HealthIT.gov has published guidance on using mobile devices in clinical practices. Here is a complete list of recommended security features to protect mobile devices.
However, specific settings to customize security on iPhones and iPads are listed below for your convenience:
- Auto-Login to Apps: Part of the price one pays for security comes in the form of inconvenience. Though it’s convenient to set up applications that may have PHI stored inside to automatically stay logged in, this practice can be a major threat to the confidentiality and security of PHI. Similar to banking applications, it’s significantly more secure to enter the username and password each time the application is accessed. IMPORTANT: The native Mail application on iOS devices cannot disable the auto-login feature (meaning it remembers your password). For this reason, mail accessed from mobile devices have a higher risk of security breach. A HIPAA-compliant way of accessing email from an iOS device would be to login through a browser, making sure to logout after each session.
- Encryption: Encryption protects health information stored on and sent by mobile devices. iOS devices provide a dedicated AES 256-bit hardware encryption for all data stored on the device, data in transmission, and additional encryption of email and application data with enhanced data protection. If a user accesses secured online applications from the device, such as a cloud-based EHR from the device, the encryption for the application will also work on the mobile device.
- File Sharing: Applications like Dropbox or Google Drive can put your data at risk. The two main points to know about these types of applications are 1) they have not signed Business Associate Agreements agreeing to keep PHI secure and protected and 2) they allow other users to connect and trade files which can also enable unauthorized users to access your information without your knowledge. Reduce this known risk easily by simply not using file sharing applications for PHI on mobile devices.
- Firewalls and Antivirus: Unless the iPhone or iPad is jail-broken, it’s not possible to get a firewall or antivirus onto the device. The good news is that the closed-architecture of iOS makes this less of a concern than it might be on another operating system. However, it’s important to stay current with software updates, as Apple is continually patching security holes as they become apparent.
- Passcodes: By default, iPhones & iPads use a 4-digit pin, which is deemed weak. To increase security, a strong passcode should have 7 alphanumeric characters at minimum. To set a longer passcode, go to Settings / General / Passcode Lock and turn “Simple Passcode” off. Enter a passcode between 7 – 10 characters and the next time you go to unlock the phone, enter the new longer passcode.
- Activate Erase Data: Apple devices have a data protection feature, which when activated, enables data to be erased altogether if the wrong passcode is entered 10 times. Since most stolen phones and tablets are taken for their inherent value, and not because the thief is interested in the address book, this feature is a powerful tool for preventing security breaches.
- Remote Tracking: As long as the device is connected to WiFi or has a cellular signal, it can be located using the iCloud feature. To set up the feature, go to Settings / iCloud. Enter the Apple ID then turn on the “Find My iPhone/iPad/iPod.” If the phone is ever lost or stolen, log in to iCloud with the Apple ID used to set up the account and put the device in “Lost Mode.” This allows the device to be remotely locked or even erased. For added security, turn on Restrictions to prevent anyone from turning off “Find My iPhone” by going to Settings / General / Restrictions.
- Remote Wipe: If the device is permanently lost, the ultimate defense against a security breach is to remotely delete all data on the device. To accomplish this task, the iPhone or iPad must be connected to WiFi or have a cellular signal. If you need to take this approach, be aware of is that once the device is “wiped” it can no longer be “tracked.” Performing this task on the device is equivalent to saying goodbye to it. For best results, backup the device often, so that the data can be restored to a new device, or the old one, once it’s found.
- Siri: The voice-activated feature can be troublesome since it can be used to access all kinds of information on the device, even if the phone or tablet is locked. To disable the use of Siri when the phone is locked, go to Settings / General / Passcode Lock / Siri / Off.
In HIPAA terminology, taking these steps count as “Technical Safeguards.” To ensure your practice is in full compliance, you would also need to implement “Administrative” and “Physical Safeguards.” That means you’ll need to document these policies for mobile devices and develop and distribute information about how to keep mobile devices safe. Be sure to include procedures on steps to take in the event that a device goes missing or has been accessed by someone without authorization. Taking these steps will help protect your practice. If you need technical help, engage your IT department or manager for assistance.
About the Author: Joy Rios has worked directly with multiple EHRs to develop training programs for both trainers and practice staff. She has successfully attested to Meaningful Use for multiple ambulatory practices in both Medicare and Medicaid. She also authored the Certified Professional Meaningful Use course for www.4Medapproved.com. Joy holds an MBA with a focus in sustainability. She is Health IT certified with a specialty in Workflow Redesign, holds HIPAA security certification, and is a great resource for information regarding government incentive programs.Ask Joy is a regular column on 4Medapproved HIT Answers.