You are the managing nurse at Valley View Clinic where mobile devices (e.g., smartphones, tablets) are part of the daily lives of nurses, doctors, and patients. The clinic, like many healthcare organizations, provides mobile devices to staff for conducting the work of the clinic. While the clinic-issued devices have security-enabled features, you remain concerned that staff are using the devices in a manner that could compromise the privacy of patient information. In fact, you overheard one of your nurses discussing lab results with a patient while using her clinic-issued smartphone in the clinic lobby. You have decided to send an email to the staff outlining the following. Outline the following issues:

• The potential privacy, security, and confidentiality risks involved with using mobile devices (clinic-issued and/or personal) in the clinic
• Guidelines for using mobile devices,The technology or policy related to technology that could be used to protect patient confidentiality and privacy when using mobile devices
• Strategies you have used personally to protect patient health information when using mobile devices
• A list of resources that your staff can refer to

 

1.. The potential privacy, security, and confidentiality risks involved with using mobile devices (clinic-issued and/or personal) in the clinic

??Vulnerabilities in mobile devices provide hackers and cybercriminals an opportunity to exploit and execute malicious code to gain control of those infected devices. A successful infection on a mobile device can quickly result in several mobile device security issues in healthcare, including the following:

•Theft of relevant credentials for EMR and hospital systems;

•Encryption of work-related files stored within external storage on the mobile device

•Eavesdropping on private conversations between patients and physicians;

•Stealing private information shared via text messages on employee phones; and

•Collecting GPS location information.

2. Guidelines for using mobile devices,The technology or policy related to technology that could be used to protect patient confidentiality and privacy when using mobile devices

??The HIPAA Security Rule establishes a national set of security standards for the confidentiality, integrity, and availability of electronic protected health information. 

??HIPAA privacy and security rules issued under the Health Insurance Portability and Accountability Act mandates national standards for protecting Patient Health Information(PHI). These rules protect against unauthorized use and disclosure and safeguards for the confidentiality, integrity, and availability of electronic PHI.

??HIPAA Security Rule: Technical Safeguards for Mobile Devices.

In the HHS' HIPAA Security Series Guidelines, covered entities are informed that they "must consider the use of encryption for transmitting ePHI, particularly over the Internet."

•HIPAA-covered entities must also "Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network."

??It is not mandatory to encrypt data at rest; however covered entities should bear in mind the advice given in the HHS Security guidelines regarding data in motion, "As business practices and technology change, situations may arise where ePHI being transmitted from a covered entity would be at significant risk of being accessed by unauthorized entities."

??The HHS Guidelines go on to say, "Where risk analysis shows such risk to be significant, a covered entity must encrypt those transmissions under the addressable implementation specification for encryption."

??If covered entities allow the transmission of ePHI over an open network, such as via SMS messages, this would violate HIPAA rules. The SMS network is far from secure, and the potential for ePHI being intercepted is high. To avoid a HIPAA violation and reduce the probability of a data breach, ePHI should only be transmitted via a secure channel with end to end encryption.

??Data Access, Integrity and Audit Controls for Mobile Devices

•HIPAA requires covered entities "to implement technical policies and procedures that allow only authorized persons to access Protected Health Information."

•If mobile devices are used to access, store or transmit ePHI, they must have access controls in place to authenticate the user.

•Multi-layered security controls should be implemented to reduce the risk of unauthorized data access.

•Any data stored on a mobile device - or transmitted by it - must have protections in place to ensure the data cannot be altered or destroyed, and controls must be put in place to allow devices to be audited.

•It must be possible to examine access to ePHI (and attempted access attempts), and any other activity performed on the device that has potential to affect data security.

•Provided the appropriate security controls are put in place, the use of mobile devices in healthcare has huge potential to improve efficiency, productivity, reduce operational costs, as well as improve patient outcomes.

•The key is to make sure the devices do not place patient privacy at risk or provide criminals with an easy access point into the network.

??Mobile Data Security: HIPAA Compliance Tips

•Full mobile security risk assessment

•regular staff training should be provided on data privacy, security and the latest threats.

•Data tracking

•Information access controls

•Data encryption

•secure text messages

•Remote data erasure

•Secure password policy

•Public wifi network access- Use VPN to reduce the risk of device hijacking.

•Control on app. Usage

•Device security scanning

•Device maintenance- regular software update and putting antivirus and antimalware up to date

3. Strategies you have used personally to protect patient health information when using mobile devices

??Never Disclose Passwords or Share Login Credentials

??Never Leave Portable Devices or Documents Unattended

??Do Not Text Patient Information

??Don't Dispose of PHI with Regular Trash

??Never Access Patient Records Out of Curiosity

??Don't Take Medical Records with You When You Change Job

??Don't Access Your Own Medical Records Using Your Login Credentials

??Do Not Share ePHI on Social Media (Including Photos)

??Report Potential HIPAA Violations

4. A list of resources that your staff can refer to.

??Mobile Data Security and HIPAA compliance

??Mobile Device HIPAA policy

??HIPAA journal-Healthcare data security technology-HIPAA compliance