Keep portable devices secure - or face penalties

Tablets. Smartphones. Laptops.

The ubiquitous portable electronic devices in the healthcare workplace, particularly professionals’ unencrypted personal devices, are exacerbating an already growing security risk – data breaches.

Only 44 percent of respondents in a research study said they had encrypted their mobile devices, according to a Department of Health and Human Services (HHS) report. The greatest risks with mobile devices are theft, loss, and downloaded viruses and malware.

Intelligence data for malicious traffic, examined in a February 2014 SANS Health Care Cyberthreat Report, confirmed just how vulnerable the healthcare industry is when it comes to security risks.

“Many of the organizations were compromised and, therefore, out of compliance for months, and some for the duration of the study – meaning they never detected their compromises or outbound malicious communications,” the report says.

Most of the malicious traffic (72 percent) emanated from healthcare providers. One-third of the victims were small providers – either individual practices or small groups with fewer than 10 providers.

Practices found out of compliance with the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA) face civil and, in some cases, criminal penalties. While huge penalties extracted from large healthcare systems are big news, smaller healthcare groups are not immune to receiving fines for noncompliance.

A small dermatology practice in Massachusetts, as an example, paid $150,000 in fines for loss of a thumb drive containing protected health information.

Action steps

Taking the following actions can help to keep mobile devices secure:

• Require a password, personal identification number (PIN) or passcode to gain access to the device. Strong passwords should include at least six characters, including upper- and lower-case letters, at least one number and at least one keyboard character. Passwords should be changed no less often than quarterly. Combining passwords or PINs with other types of authentication methods can secure the device further.
• Use device features to limit accessibility. Enable an automatic time-out or logoff feature to lock the device when not in use. Set the device to limit the number of unsuccessful login attempts.
• Disable certain features like speech recognition or voice controls that can activate a phone when locked or SMS (short message service) preview to prevent the viewing of text messages when the device is locked.
• Restrict administrative actions for utilities on the device to authorized users only so that settings cannot be changed by anyone else.
• Install and enable encryption for data stored on and sent from your device.
• Install and activate remote wiping and/or remote disabling. Wiping erases data on a device if it is lost or stolen. Remote disabling locks the device if lost or stolen. Be sure to regularly back up data on the device to a secure location that is encrypted.
• Disable and do not use a file-sharing application to prevent others from viewing files on the device or installing a virus or malware.
• Install a firewall to protect against unauthorized connections. Some devices come with a firewall that can be enabled.
• Install and enable security software and keep it up to date.
• Research a mobile app before downloading to ensure it will not compromise data by, for example, copying your address book.
• Maintain physical control of your mobile device by keeping it with you or locking it in a secure location and not sharing it with others.
• Secure data when using a public or private Wi-Fi connection, such as a virtual private network (VPN) or a secure browser connection (https). Turn off Wi-Fi, location services and Bluetooth functionality when not in use.
• Remove all health information data before disposing of a mobile device. 

Stay informed

HealthIT.gov provides healthcare professionals with information on how to maintain the security of laptops and other mobile devices. Click here for more information.

Additionally, conducting a security risk assessment is required not only under the HIPAA Security Rule but also as part of the Meaningful Use Program. A risk assessment can uncover potential weaknesses in security policies, processes and systems and enable a practice to address them before a data breach occurs.

To help providers in small-to-medium-sized offices conduct risk assessments of their organizations, HHS has developed a security risk assessment (SRA) tool that is available for both Windows operating systems and iOS iPads. Download the Windows version at www.HealthIT.gov/security-risk-assessment. The iOS iPad version is available from the Apple App Store. Search under “HHS SRA tool.”