On October 21, 2013, Alhambra, California-based AHMC Healthcare Inc. reported the theft of two unencrypted laptops containing the protected health information (“PHI”) of approximately 729,000 patients. Reports of stolen laptops and other mobile devices containing PHI are not uncommon in recent years. In fact, most breaches of PHI reported to the U.S. Department of Health and Human Services (“HHS”) are related to the theft or loss of mobile devices.1 These types of reports are also not surprising given the rise in use of mobile device technologies in the healthcare industry. Two recent studies have shown that healthcare professionals are increasingly using mobile devices such as smartphones and tablets for clinical purposes. A survey published in August 2013 by the Deloitte Center for Health Solutions2 found that more than 40 percent of U.S. physicians use mobile phones to access patient records, write prescriptions and communicate with other healthcare professionals. BYOD Insights 2013 (March 2013),3 a survey conducted by a group of Cisco partner firms,4 points out that 88.6 percent of American workers in the healthcare industry use their personal smartphones for work purposes. Arguably the most troubling finding of the BYOD Insights 2013 study is that even the most basic protocols have not been adopted to ensure the security of these mobile devices. For example, nearly 60 percent of respondents in the healthcare industry reported that their smartphones are not password protected, and more than half of the respondents accessed unsecured or unknown Wi-Fi networks with their smartphones.
HIPAA Requires that Mobile Devices Containing PHI be Secure
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations, the Privacy and Security Rules, as amended by The Health Information Technology for Economic and Clinical Health (“HITECH”) Act and the recent HIPAA Omnibus Final Rule specify requirements for securing PHI. The HIPAA Security Rule specifically requires covered entities and their business associates to conduct periodic risk analyses of the potential risks and vulnerabilities to electronic PHI maintained on all of its systems, including mobile devices, and to adopt policies and procedures for addressing these threats and vulnerabilities.5
Failing to comply with these security requirements could result in civil penalties of up to $50,000 per violation and a maximum penalty of $1.5 million for all violations of an identical provision during a calendar year.6 In at least two cases reported by HHS, the loss or theft of mobile devices has resulted in settlements of over one million dollars.7
Steps to Secure Mobile Devices
In light of significant penalties under HIPAA for failing to adequately secure the confidentiality and integrity of electronic PHI on mobile devices, healthcare organizations and their business associates should strongly consider the risks to mobile device security8 and adopt policies and procedures that adequately address these risks.
The following minimum security measures should be considered carefully by any organization desiring to maintain data security over mobile devices:
- Adopting access control policies that require authentication to access mobile devices, including use of complex passwords with a combination of letters and numbers. Some devices are now offering biometric authentication measures (such as Apple’s iPhone 5S) to further secure mobile data from unauthorized access.
- Installing or enabling encryption on all mobile devices that store or access patient or other sensitive information. Encryption is particularly important given that lost or stolen encrypted devices do not generally give rise to breach reporting requirements under HIPAA or most state breach reporting laws.9 Many newer mobile device models now offer full device encryption as a built-in option. This option should be enabled before the device is used to access sensitive data. In addition to enabling encryption for data on the device, users must also be concerned about encryption for data that is transmitted via the device. Virtual Private Network (“VPN”) technology should be implemented before sending or receiving protected data via a mobile device. When a VPN is established between the device and a corporate network, all data transmitted between the two is encrypted to protect against interception of the data by an unauthorized third party. Finally, SMS text messaging from mobile devices is inherently insecure.10 Unless text messaging of electronic PHI is expressly prohibited by organization policy, a secure HIPAA-compliant text messaging system should be implemented on all mobile devices with access to this sensitive data. There are a number of available software solutions for securing text messaging in accordance with the requirements of the HIPAA Security Rule for securing electronic PHI.
- Enabling or installing firewalls to block unauthorized access. Some mobile operating systems have built-in firewalls that users can enable.
- Enabling or installing mobile security software to protect against viruses, malware, spyware and other malicious applications. A wide range of applications are now available that offer different levels of protections. Some features often found in security software applications include the ability to remote wipe a device (in case of loss or theft); a remote alarm feature; and tracking capability via the device’s GPS system. It is important to keep mobile security software up to date.
- Disabling or uninstalling file-sharing software that can be used to access sensitive information or infect mobile devices with computer viruses or malware.
- Forensically wiping all stored health information before a mobile device is discarded or given to another user.
- Adopting a mobile device management (“MDM”) system that enforces security measures for all devices that connect to the organization’s network. A typical MDM system will register all mobile devices that seek to access data on the organization’s network; restrict access to non-compliant devices; manage security updates and access rights for user devices; roll out approved applications; and provide IT administrators the ability to remote wipe a device if the device is lost or an employee is terminated.
Healthcare organizations and their business associates should remember that securing mobile devices that access or maintain electronic PHI is not just good practice, but it is the law. The measures described above are just a few of the security measures a healthcare organization should consider when adopting policies and procedures to protect PHI and other sensitive information on mobile devices. The Office of the National Coordinator for Health Information Technology (“ONC”), which is the federal organization within HHS charged with coordination of nationwide efforts to implement and use health information technology, provides additional information on securing mobile devices on its website.11 Additionally, the National Institute of Standards and Technology (“NIST”)12 has published Guidelines for Managing and Securing Mobile Devices in the Enterprise (NIST Special Publication 800-124),13 which is intended to help organizations centrally manage and secure mobile devices.
|1||U.S. Department of Health & Human Services, Office for Civil Rights, http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html.|
|2||Available at: http://www.deloitte.com/assets/Dcom-UnitedStates/Local%20Assets/Documents/Health%20Care%20Provider/us_dchs_2013PhysicianSurveyHIT_051313%20(2).pdf.|
|3||Available at: http://www.structuredweb.com/sw/swchannel/CustomerCenter/documents/8523/22089/Cisco_mCon_BYOD_Insights_2013.pdf.|
|4||Cisco is the worldwide leader in IT services.|
|5||45 C.F.R. § 164.308(a)(1).|
|6||45 C.F.R. § 160.404.|
|7||Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively “MEEI”) agreed to pay HHS $1.5 million to settle potential violations of the HIPAA Security Rule following its report of a stolen unencrypted laptop containing the electronic PHI of MEEI patients. The HHS Press Release is available at: http://www.hhs.gov/news/press/2012pres/09/20120917a.html. The Alaska Department of Health and Human Services agreed to pay HHS $1.7 million to settle potential violations of the HIPAA Security Rule following its report that a portable electronic storage device (USB hard drive) possibly containing electronic PHI was stolen from the vehicle of an Alaska DHHS employee. The HHS Press Release is available at: http://www.hhs.gov/news/press/2012pres/06/20120626a.html.|
|8||Mobile devices are particularly susceptible to data theft and other security breaches for a number of reasons, including: (1) the mobility of the device makes them more likely to be lost or stolen than other devices; (2) many mobile devices are untrustworthy, especially when personal devices are used for business purposes pursuant to bring your own devices (“BYOD”) policies; (3) organizations lack control over the security of external networks that are often accessed by mobile devices to connect to the Internet; (4) mobile devices generally have unfettered access to third-party applications (“mobile apps”) that may not be trustworthy; and (5) mobile devices often interact with other systems that may not be trustworthy (e.g., individuals can connect a mobile device to a desktop via a cable for charging and/or synching, or remotely back up the device to a cloud-based storage solution). See NIST Special Publication 800-124, Revision 1 (June 2013), Section 2.2 for a more thorough discussion of some of the security threats and vulnerabilities to mobile devices.|
|9||Breach reporting under the HIPAA Breach Notification Rule (45 C.F.R. Part 164, Subpart D) is required only in the event of a breach of “unsecured protected health information,” which is PHI that has been rendered unusable, unreadable, or indecipherable to unauthorized individuals in one of the following ways: (i) electronic PHI has been encrypted as specified in the HIPAA Security Rule, or (ii) the media on which the PHI is stored or recorded has been destroyed. 45 C.F.R. 164.402; 74 Fed. Reg. 19006 (April 27, 2009) (Guidance). Most state laws require notification in the event of a breach of “unencrypted” computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the entity. See, e.g., Tenn. Code Ann. § 47-18-2107(a)(1).|
|10||SMS text messaging is inherently insecure for a number of reasons: (1) Messages are not encrypted; (2) messages are routed through cellular provider networks where there is no guarantee that the messages will not be archived and/or accessed by an unauthorized party; (3) there is no authentication that the correct recipient ever received the message; and (4) there is no control over the digital life of the message once it is transmitted.|
|11||Available at: http://www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security.|
|12||The NIST is a non-regulatory federal agency within the U.S. Department of Commerce that is responsible for developing standards, guidelines, tests and metrics for the protection of non-national security Federal information and information systems.|
|13||Available at: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-124r1.pdf.|