When your goal is to protect PHI on laptops and mobile devices, keep in mind that information security is only as strong as its weakest link. Lenient information security standards exponentially increases the risk to sensitive healthcare data. It can also place you in non-compliance with the HIPAA Security Rule. On top of that the courts are likely to see it as a security failing in the case of data breaches. Now you’re looking at an expensive law suit!
An abbreviated overview of the HIPAA Security Rule’s general requirements calls for covered entities and business associates to do the following:
- Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.
- Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
- Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under Subpart E of this part.
Can you demonstrate device encryption?
CEs and BAs, keep in mind, too, that you can’t take advantage of the HIPAA Breach Notification Rule safe harbor if you can’t demonstrate that stolen devices were actually encrypted at the time. If the device isn’t locked down, it’s hard to prove that the device was secure and no PHI or PII accessed when the device is lost or stolen. While Apple tablets and smartphones are natively encrypted, either end users or IT staff need to enable or turn on encryption for Android tablets and smart phones, Windows laptops, tablets and smartphones and Macs. Take the below steps to protect laptops, tablets and smartphones – and to protect PHI.
7 Steps to Laptop Data Security & Intrusion Protection
- Remove administrator privileges for all company-owned laptops and lock down devices
- Install and maintain mobile device management tools that support:
- Remote wipe of hard and flash drives
- Device tracking in the event a device is lost or stolen
- Enforce encryption of hard drives and flash drives
- Install and periodically update anti-malware applications
- Install and periodically update firewall applications
- Enforce strong passcodes or passwords and require periodic password changes
- Enable biometric authentication if available
- If using Windows, properly set share and Microsoft New Technology File System (NTFS) permissions to keep network snooping to a minimum and unauthorized users out of sensitive files stored locally
6 Ways to Protect Tablet & Smart Phone Security & Prevent Intrusion
- Remove administrator privileges for all company owned tablets and smartphones and lock down devices
- Install and maintain mobile device management tools (company owned and personally owned; BYOD) that support:
- Remote wipe of flash drives
- Device tracking in the event a device is lost or stolen
- Enforce encryption of flash drives
- Preferably – segregate company data from personal data on BYOD devices
- Install and periodically update anti-malware applications (Exception: iPhones and iPads)
- Install and periodically update firewall applications (Exception: iPhones and iPads)
- Require strong passcodes or passwords and regular password changes
- Enable biometric authentication if available
Device hardening is considered a reasonable security safeguard which means it’s a “must do” when it comes to HIPAA compliance and state law compliance in some states. Take the necessary steps to protect PHI and avoid the bad headlines, regulatory penalties, law suits and lost business. If you need to beef up compliance planning, conduct your security risk analysis, or just aren’t sure where to start with any of it, give us a call: 503-384-2538.
