Mobile devices can make your staff more efficient and your practice more profitable. But those same devices can increase your practice’s risk of a PHI breach—and that’s scary stuff.
The days of the employer-issued Blackberry are long gone. BYOD—bring your own device—is where it’s at. “It’s that concept where you’re bringing your own device, whatever that may be, and using it to access networks containing protected health information,” says Eric Christensen, Director of Client Services at Healthcare Compliance Pros. Physicians and staff want the convenience of using one device for both personal and work purposes. Unfortunately, that can be a diabolical combination. “The big issues are HIPAA and data security, and the potential for violations,” Christensen notes.
Luckily, reducing your risk of a breach—and the fiendish fines that come with it—is easier than you think. “To say that it’s technically difficult is kind of a misnomer,” says Christensen. The concept is simple: “We’re trying to set up network environments that allow for access to certain resources but not others.” For example, you want patients in your waiting room to be able to access the internet, but not your EHR system. You want to give a staff member access to the patient portal, but not to shared drives where you keep financial records. “We’re trying to silo—or create containers for—certain types of information,” he notes.
That doesn’t have to be a complex task. At the simplest level, you can containerize by maintaining a private network (with restricted access) and a public network. “Most people already have this setup at home,” Christensen explains. “They have a guest network for when friends come over and want to use the internet, and they have a private network where maybe they store their movies or pictures. Practices operate the same way. They have a secure private network that contains PHI, and a guest network that exists separately.”
Ask Before Authorizing
Any time a staff member wants to access PHI from a mobile device, he or she must use the secure network. But before allowing that to happen, you must do some detective work. “If personal mobile devices have not been authorized, they should not be allowed to access your network or PHI,” emphasizes Christensen. So how do you authorize a mobile device?
- Find out how the staff member restricts access to his or her device. Do they use a password? If so, how often do they change it? What about a fingerprint?
- Is the device encrypted? “To encrypt a device, the newest mobile operating systems have simple checkboxes in the security settings. The reality is that encrypting a device is very easy,” says Christensen.
“These are the kinds of questions you need to ask the employee before you allow them to access your private network—and the PHI it contains—via their mobile device,” advises Christensen. “These are not difficult questions to ask and answer.”
Put It in Writing
“We highly recommend written BYOD policies and procedures,” says Christensen. “A lot of the time the issue isn’t about giving or not giving access, but it’s about ensuring that certain security protocols are put in place.” Every employee who wants to access your practice’s secure network should read and sign the mobile device policy. Policies often include the following elements, according to Christensen:
- An acceptable use agreement.
- Language that explains employee liability for risk.
- Process for reporting a lost or stolen device.
- Right to disable or remotely wipe a device.
- Right to monitor/preserve information that utilizes company network.
Part of the appeal of BYOD is for employees to use just one device for work and business. They likely understand the need for tight monitoring and security to protect ePHI, but they don’t want the IT department to have access to their personal photos, text, and browsing history. How can you balance the two?
“In many practices, it’s not a big issue that personal information is going to be monitored,” says Christensen. The risk of exposure may be minimal, but this is something you should address in your mobile device policy. “If they want to use the secure Wi-Fi, if they want to get company email on their phones, staff must accept that they are giving up a certain privacy expectation,” he explains. “That’s the way the policy needs to be written. The employer must have the ability to monitor traffic on their networks,” he continues. And it’s not just about data security. “It might be ‘Hey guys, I see that everyone’s on Facebook all day long,’” notes Christensen. “This is a productivity issue as much as a security issue.”
You may never need to enforce this policy unless you have a security incident. But “when that incident happens, you may need to examine their devices. You may be forced to wipe their phones,” Christensen says. The policy should explain what your expectations are for individual privacy versus the security needs of the practice. “The risk exposure for HIPAA violations, bad press, or fine is much higher for the practice than it is for the individual.”
As part of your acceptable use policy, staff should agree not to access PHI from an unsecured Wi-Fi network (like at the airport). On an unsecured network, your data is out in the open and anyone can see it—or steal it. If employees cannot connect to a secured network, they should use a virtual private network (VPN). A VPN allows you to transmit data over a secure, encrypted connection, even on a public network.
Let’s Talk About Text
You might think SMS stands for Secure Messaging System. Newsflash: it doesn’t. SMS—short message service—is not secure, and sending patient PHI via SMS text would be a breach (this includes iMessage). ePHI may only be sent via a method with end-to-end encryption, so use a secure text messaging app instead. There are several HIPAA-compliant secure text messaging services on the market.
A Burning Question
Q: Do I need to install antivirus software on a mobile device? I’ve heard that malware and phishing attacks are on the rise.
A: If you use the device to access secure resources, it’s a good idea. “If you have software like Norton™, or McAfee®, those software packages generally give you licenses for a number of devices, not just that single desktop PC,” Christensen explains.
But your bigger focus should be on employee education. “We can’t always protect against these attacks with antivirus software or a firewall if the employees, through their own mistakes, open the door,” Christensen says. “A lot of times these attacks come through email invitations. Are you on the secure network and you just have to click on that cute kitten photo? Those are the types of things we do not want to be clicking on.” Ditto for apps, which can contain security flaws or even malware.