Children's Medical Center of Dallas serves as a good example of the importance of managing mobile devices as part of your HIPAA compliance regimen.
I just had lunch with a friend who used to work at the company that makes the Blackberry device. We shared warm memories of the little fellow. It was a powerful business tool that popularized the “always connected” workforce by bringing email out of the office and into the purse or pocket. I loved the “chiclet” keyboard and stuck with Blackberry long after the market had moved to smart phones and devices.
Children’s Medical Center of Dallas loved their Blackberries too. According to a Notice of Proposed Determination issued by the Office of Civil Rights (OCR) of the Department of Health and Human Services, Children’s issued unencrypted Blackberry devices to their nurses beginning in 2007. In August 2008, a consultant identified data encryption, including data on mobile devices, as a high priority to be addressed before the end of 2008 to secure protected health information (ePHI). According to the OCR Notice, it took four and half years for the hospital to finally implement encryption on all its mobile devices. In the meantime, there were three different data breaches at the hospital, two involving mobile devices, which affected over 5,000 individuals. For these and other failures, Children’s Medical Center of Dallas was recently fined $3,217,000.
Despite their ubiquity, smart phones and other mobile devices are challenging to fold into your HIPAA policies because the security and privacy issues with the portable platforms are different. Encryption is critical, but there is more going on, making these devices harder to secure than the other computers in the office.
The National Institute of Standards and Technology’s (NIST) excellent “Guidelines for Managing the Security of Mobile Devices in the Enterprise” identifies the features that make smart devices harder to secure. Many, if not most, smart devices are owned by the user and the user has loaded it up with whatever apps she or he desires. These apps often communicate information to and from the vendor’s and other websites. The devices are designed to go everywhere – the home, the office, the coffee shop, out and about. Anyone can pick them up and start using them. Mobile devices frequently make use of public, untrustworthy networks. Automatic, cloud based backups can send copies of ePHI to other networks which may or may not be secure, but are certainly not subject to a business associate contract. These features are often what makes the device appealing, but they shred the administrative, physical and technical safeguards the covered entity or business associate may have in place.
NIST suggests that you first ask whether remote access to ePHI is needed at all. If it is needed, then you determine which devices access which data. This is more than technical security. Your device policy should also address the requirement that access to ePHI be sharply restricted based on need to access. Then, NIST suggests you continually reassess the plan and the need to move ePHI off of the secured servers.
The Health System of the University of Alabama has posted its HIPAA Core Policy on Use of Portable Devices. It is good reading. It begins with the general rule that ePHI and other sensitive data must stay on the secured servers and not be copied or downloaded to a hard drive, thumb drive, laptop or other storage device unless the download has been approved by senior management. Further, workers are not permitted to use personally owned portable devices for work related purposes unless there has been the same high level sign-off. If the movement of data off the secure servers is permitted, the policy then goes into detail about what the devices must be like, which computer networks they can access and who can use them.
You must think differently about portable smart devices around protected health information. Put in place smart restrictions, and make sure if you must store ePHI on mobile devices, that you have a plan on how protect this information once it's on the device.