Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health

Personal Mobile Device Use in a Clinical Setting Many hospitals and health care providers are struggling with what to do about employees and their use of mobile devices in the workplace  What is our organization’s position on Bring Your Own Device or “BYOD”  Do you have a policy that speaks to whether the organization allows use of personal devices  Does HIPAA allow the use of personal devices to transmit or store PHI?

Mobile Devices and Protected Health Information  What does the law say about mobile devices?  There is nothing in HIPAA that states that it is not permissible to use a personal device to transmit patient information, however, the HIPAA Security Rule is clear that patient information must be protected and used securely by a covered entity, “whether at rest, in use, or in transmission.”  The problem: Who owns the phone or portable device and how can a covered entity enforce proper security on the device if they don’t own it?

Common conversations regarding mobile devices Common FeedbackResponse “Our phones on the unit are so outdated. They break, they aren’t efficient, and they are three times the size of my cell phone. I can use my cell to text and don’t have to use number keys to text docs... It’s so much faster.” What does your policy regarding mobile devices state? Do you have a policy? Are you texting PHI? If so, you may be putting patient information at risk. Remember, your service provider for your personal phone regularly backs up your phone in a cloud storage environment – this storage is not secured “I don’t want to carry around more than one phone – why can’t I just use my personal cell phone?” Newer cell phones have encryption features, but older models may not. Encryption is often not turned on by a person, because they are unaware that the feature exists

Common FeedbackResponse “If I need to text a doctor information about a patient, it’s no different than calling the doctor. “ Texting and phone calls are two very different modes of communication with very different levels of risk. When you text anything from a mobile device that does not have appropriate security, the information is stored electronically in your phone’s cloud storage “I’m under a lot of pressure to treat patients quickly... It’s just easier to text other docs and nurses when I need to tell them something. Maybe the hospital should look into purchasing us better technology.” While convenience may be tempting, fines for HIPAA Security violations have jumped from $50,000 to $1.5 million in the last year. Most of the fines given by the Office of Civil Rights involve Security Rule violations and PHI that was discovered on the internet unsecured “I told our IT Department that I was using my mobile phone to text, and they said that they wanted me to give them rights to my device so that they can wipe it if it gets lost or stolen. I don’t think I want to give them this right. It’s my device.” It may be your device, but if you are texting PHI, it’s the organization’s patient information. You are putting the organization at risk if the device is lost or stolen and you don’t report it. In order to use your device, there are tradeoffs so that information can be safeguarded

Coming up with a Position on Use of Smartphones in Your Organization  Use of Smartphones:  Many organization are aware that employees in clinical areas are using their personal mobile device to communicate information regarding their patients but are they dealing with the issue? Pretending like the issue doesn’t exist can cost your organization

Steps to Compliance  Does your organization have a mobile device policy?  What is your organization’s position  Is your organization willing to support a BYOD culture?  Do you know who your organization’s Privacy & Security officers are if you have questions regarding BYOD?  Are you training your employees on what your organizational position is?

 Does your organization use a Virtual Private Network or “VPN?”  A VPN is a way for employees to securely enter the network and work remotely in a secure environment  This allows employees to  Text securely  Access patient information securely  securely Steps to Compliance

Understand what can put a patient’s information at risk There are risks that many don’t think of when we talk about mobile devices:  Device gets lost – is the employee reporting the loss to their employer, even if the phone belongs to the employee  Devices can be stolen – is your IT department enforcing wiping capabilities on personal smart phones in the event they are lost or stolen?  Is the employee’s phone password protected? You would be surprised to know how many people do not have passwords on their phone  Depending on the type of device, malware and viruses are a potential threat that can be introduced into the workplace  Do your employees understand that using a “free wifi” service when outside of work is dangerous and can expose any PHI on their device to potential theft or loss?

Simple steps for each employee to take to help their organization achieve compliance  Step 1: Use a password or other user authentication method  Authentication is the process of verifying the identity of a user  Mobile devices can be configured to require a password, PIN or passcode to gain access  If an unauthorized user attempts to gain access and doesn’t have the right password or PIN, mobile devices can activate screen locking to disallow any more attempts to gain access to the device

Step 2: Install and enable encryption  Encryption protects health information stored and sent by mobile devices  Mobile devices often have built-in encryption that can be activated or encryption can be purchased for a device  Find out what your organization’s encryption capabilities are and if they offer encryption for a personal device

Step 3: Install and activate remote wiping and/or remote disabling  Remote wiping enables you to erase data on a mobile device remotely. This can permanently delete date stored on a lost or stolen mobile device  Remote disabling enables you to lock your device until it is recovered

Step 4: Disable and do not install or use file sharing applications  File sharing is software or a system that allows Internet users to connect to each other and trade computer files  But file sharing can also enable unauthorized users to access your laptop, handheld device or phone without your knowledge  By disabling or not using file sharing applications, you reduce a known risk to data on your mobile device

Step 5. Install and enable a firewall  A personal firewall on a mobile device can protect against unauthorized connections  Firewalls intercept incoming and outgoing connection attempts and block or permit them based on a set of rules

Step 6. Install and enable security software  Security software can be installed to protect against malicious applications, viruses, spyware, and malware-based attacks

Step 7. Keep your security software up to date  When you regularly update your security software  You have the latest tools to prevent unauthorized access to health information on or through your mobile device

Step 8: Research mobile applications (apps) before downloading  A mobile app is a software program that performs one or more specific functions  Before you download and install an app on your mobile device, verify that the app will perform only functions you approve of – not sure if the app is ok? Ask your IT Department  Use known websites or other trusted sources that you know will give reputable reviews of the app

Step 9. Maintain physical control  The benefits of mobile devices - portability, small size, and convenience... these are also their challenges for protecting and securing health information  Mobile devices are easily lost or stolen  There is also a risk of unauthorized use and disclosure of patient health information  You can limit an unauthorized users’ access, tampering or theft of your mobile device when you physically secure the device

Step 10. Use adequate security to send or receive health information over public Wi-Fi networks  Public Wi-Fi networks are so tempting to use because, of course, they are free  But, they can be an easy way for unauthorized users to intercept information  You can protect and secure health information by not sending or receiving it when connected to a public Wi-Fi network, unless you use secure, encrypted connections

Step 11. Delete all stored health information before discarding or reusing the mobile device  When you use software tools that thoroughly delete (or wipe) data stored on a mobile device before discarding or reusing the device, you can protect and secure health information from unauthorized access  HHS OCR has issued guidance that discusses the proper steps to take to remove health information and other sensitive data stored on your mobile device before you dispose or reuse the deviceguidance  Unsure how to make sure your device is sufficiently wiped when you get a new device? Ask you IT Department for help!

Questions?