Why built in security features are not enough
by William Standifird
November 29, 2016

There is no doubt about it, your health care business is going mobile. Smartphones and tablets are quickly replacing clipboards, charts and desktop computers as practitioners take advantage of improvements in processing power, digital connectivity, and secure cloud-based solutions to manage electronic patient health information (ePHI).

But wait! It can’t be that easy, can it? What happens if a device gets hacked? What happens if one of your employees loses a device? What if a device is stolen? You may be surprised to learn that recently a single lost smartphone resulted in a $650,000 fine to Catholic Health Care Services in Philadelphia. They are not alone; while the government only reports on cases involving the loss of more than 500 records, some 507 violations with more than 10 million ePHI records have been reported since 2009. The primary cause of these breaches? Device theft. While we would all like to believe that mobile devices only access secure point-of-care software, cookies, texts, photos, emails and many other forms of unauthorized ePHI are frequently found on mobile devices—making them a serious security risk for your business.

What is the answer? The Department of Health and Human Services (HHS) provides many recommendations on how to manage digital risks associated with mobile devices. Simply put, there are three layers of security that need to be considered:

  • Policies and procedures—These include a risk assessment and protocols for how and when to use the mobile devices
  • Encryption—If a device is lost, encryption provides some level of security; however, even the most sophisticated encryption systems are being cracked.
  • Remote lock and wipe—This is your last line of defense and if implemented properly is the most reliable measure to prevent the loss of ePHI

While there are numerous types of mobile devices, and systems with which to manage them, Android products are quickly emerging as the preferred choice for medical institutions. These devices are feature rich, substantially less expensive than their counterparts and offer developers the most flexible platform on which mobile security solutions can be developed. Applications such as License Lock Locate (LLL), from Mountaineer Technology Ventures provide a simple and economic system for ensuring that mobile devices cannot be compromised if they are lost or stolen. Unlike other solutions, LLL is specifically designed to promote HIPAA compliance and includes several features to ensure ease of use and reliability. With LLL, a mobile device can be quickly locked and then located so that it can be recovered without compromising ePHI during the search. If recovery is not practical, the device can be remotely wiped of all data. With all remote features stored in a cloud database, a regulator can be shown exactly when a device was remotely locked or wiped further reducing the risk of a HIPAA violation.

The transition to smartphones and tablets is inevitable. These technologies will simplify the management of ePHI, improve quality of care, boost staff efficiency and reduce the overall cost of care. But mobile also introduces risks that can expose sensitive patient data and put your practice in danger of costly fines. Be sure to follow all government regulation regarding the use of mobile devices, consult with a qualified consultant to implement mobile device policies and deploy technologies for encryption, remote lock, and remote wipe for when, not if, a mobile device becomes lost or stolen.