Where HIPAA and smartphones collide: 5 steps to start a healthcare mobile security plan

Dec. 20, 2012
Health Dept. launches mobile device security education initiative

The U.S. Department of Health and Human Services (HHS) has launched a new education initiative and set of online tools provide healthcare providers apractical tips on ways to protect their patients’ protected health information when using mobile devices such as laptops, tablets and smartphones.

The initiative, called Mobile Devices: Know the RISKS, includes an outline of five tips to manage mobile devices in a healthcare organization. “The use of mobile health technology holds great promise in improving healthcare, but the loss of health information can have a devastating impact on the trust that patients have in their providers — it’s important that these tools are used correctly,” Joy Pritts, HHS’ Office of the National Coordinator for Health Information Technology (ONC) chief privacy officer, said in a statement.

Here are the five initial steps to mobile device management in a healthcare setting:

1. Decide whether mobile devices will be used to access, receive, transmit, or store patients’ health information or be used as part of your organization’s internal network or systems, such as an electronic health record system. Understand the risks to your organization before you decide to allow the use of mobile devices.

2. Consider the risks when using mobile devices to transmit the health information your organization holds. Conduct a risk analysis to identify threats and vulnerabilities. If you are a solo provider, you may conduct the risk analysis yourself. If you work for a large provider, the organization may conduct it.

3. Identify a mobile device risk management strategy, including privacy and security safeguards. A risk management strategy will help your organization develop and implement mobile device safeguards to reduce risks identi?ed in the risk analysis, including an evaluation and regular maintenance of the mobile device safeguards you put in place.

4. Develop, document, and implement your organization’s mobile device policies and procedures to safeguard health information. Some topics to consider when developing mobile device policies and procedures are: Mobile device management; using your own device (BYOD); restrictions on mobile device use; and security or con?guration settings for mobile devices.

5. Conduct mobile device privacy and security awareness and ongoing training for providers and professionals. 

Despite providers’ increasing use of using mobile technology for clinical use, research has shown that only 44 percent encrypt their mobile devices. Mobile devices obviously present a challenge when it comes to protecting and securing health information. “Healthcare providers, administrators and their staffs must create a culture of privacy and security across their organizations to ensure the privacy and security of their patients’ protected health information,” Pritts said.

Along with theft and loss of devices, other risks, such as the inadvertent download of viruses or other malware, are top among reasons for unintentional disclosure of patient data to unauthorized users.

For other educational resources such as tips and steps on protecting and securing health information when using a mobile device with videos, easy-to-download fact sheets, and posters, visit http://www.HealthIT.gov/mobiledevices