Healthcare individuals and organisations can often find themselves the prime target for security breaches, and for that reason they need to do their utmost in protecting the privacy of patient records and information. To that end, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 was introduced to set the standards required for protecting sensitive information, including saving, transmitting and accessing patient data and electronic files.
IT security has in recent years become a high priority for hospitals and other healthcare providers, as online attacks have risen. HIPAA has always been there to define the baseline for securing patient information from the cyber-criminals that target the healthcare industry. But, in January of last year, the department of Health and Human Services released an Omnibus Final Rule, which modified the HIPAA standards and placed new liabilities on individuals working in the healthcare profession.
Omnibus Final Rule Polices
Healthcare organisations (including business subcontractors and associates) being directly liable for compliance, as well as for penalties for all violations.
Risk assessment now must focus not on the harm to the patient but simply whether information has been compromised.
In the event of a security breach, patients, HHS and media must be notified within 60 days.
Breaches of limited data sets (i.e. data that does not contain birth dates or location information) are no longer to be treated as an exception, and must be treated in the same manner that all breaches of information are treated.
The result has led to a surge in regulatory and HIPAA privacy claims, with many involving nefarious acts by unhappy employees and disgruntled patients.
In one case, it is reported that a physician’s smartphone was compromised and over 30 unauthorized security breaches were recorded over the space of just a single four-hour period. The practice was required to notify hundreds of patients warning them of the potential leakage of their medical information, as well as reporting the incident to the press and the relevant government authorities as per HIPAA regulations.
Smartphones Extremely Vulnerable To Theft And Loss
Because of their portability and small size, mobile devices are particularly vulnerable to theft and loss, which indeed accounts for the majority of security breaches. Catherine Barrett of the Federal Working Group reports of a survey of 600 US hospital workers, which found that 66% of reported data breaches were as a result of a mobile device being lost or stolen.
Any unauthorised access to sensitive information on your smartphone or any other device constitutes as a violation to HIPAA privacy rulings. Even if you lose your phone, you are potentially putting that information at risk and you may well find yourself liable. If anyone other than you manages to access those files that are protected under HIPAA – even if the person who finds the phone has no malicious intent and is just being a bit nosy before handing the phone into the authorities – you are still in violation of HIPAA and are susceptible to punishment. Under the Omnibus Final Rule a breach is a breach, and there is no wiggle room when you find yourself in court.
The cost of a breach is a real one too. Although it is true that certain data breaches may well be covered by your insurance, the cost to your reputation (especially considering that you have no choice under HIPAA but to make public the infraction) is difficult to measure, and the time you and your staff will have to devote to addressing the issue is certainly not negligible.
How To HIPAA-Proof Your Smartphone
First and foremost you will of course want to HIPAA-proof your desktop and office systems, and something like PA File Sight is certainly something to consider – the software allows managers to view exactly who is accessing, reading from and editing any important and sensitive files on the system.
Once you have done this it is time to HIPAA-proof your smartphone and any other mobile devices.
Step 1. Activate Your Phone Passcode: Although this seems like a no-brainer, it is surprising how many people don’t even take this first very easy step. You will need to choose a four-digit passcode to access your phone, and it cannot be something that is easy to guess. No birthdays, addresses, phone numbers or special dates that are in any way related to you, as these can all be Googled. Your phone may have a special setting that will wipe all information from the phone if the incorrect passcode is entered more than a set number of times. Set this to, say, 5, and turn this setting on.
Step 2. Never Use Email: Email accounts are very easily hacked, especially if you are using your smartphone to transfer information. If a HIPAA Privacy claim was ever filed against you or your practice and it was discovered that you were sending sensitive information via email, you will not have a defensive leg to stand on. The problem is that regular email communications are not usually encrypted, so if you are using this method you need to stop immediately and switch to a cloud-based encryption service or use a virtual private network (VPN) only.
Step 3. Set A ‘Required Login’ For Accessing Apps: Although it is obviously very convenient to leave yourself logged in to your apps on your smartphone, you must never ever do so with any that deliver HIPAA sensitive information to your device. If someone were to gain access to your phone and you had left all of your apps open, then the person will have access to every file you have. Login each time – it might be inconvenient, but that’s just tough.
Step 4. Install an Encryption App: This is one sure-fire way to ensure that all files being transferred from and to your device remain protected should your device be compromised. Encryption apps will also protect the information that resides on your phone itself. There are many encryption apps available for both Apple and Android devices, some of which are so sophisticated that they even meet FBI standards. Though it is unlikely that you will need such a powerful (not to mention expensive) one, you will nonetheless be much better protected if your files are secured by some sort of encryption app on your phone. The apps can of course be configured to encrypt all of your phone’s data, or just the sensitive information that you select.
By following the above steps you will be slowing any hacker down considerably. Although these barriers could all be hacked by a serious or determined individual, it is much more likely that they will instead look to move onto the next unprotected device, which hopefully will be one that doesn’t contain any HIPAA sensitive data. Either way, if the information on your phone is securely protected, you should be able to avoid any HIPAA violations should your device become lost or stolen.