Smart Phones: Six Security StepsPatient Privacy Protection is Essential
The risk of data compromise is escalating as more physicians, nurses and others use mobile devices, says Ilene Yarnoff, a principal at Booz Allen Hamilton. That's why it's so important to provide education on compliance with HIPAA and other regulations before enabling caregivers to remotely access patient information via smart phones, she stresses.
Two security experts offer six smart phone tips:
Lock the Phone"Always use a lock code on your smart device," advises Fred Cruz, IT director at American Hospice, Jacksonville, Fla., which allows its home health aides to use smart phones for certain purposes. Some devices have a wipe feature if you enter the code incorrectly after several tries, he notes.
"I like to pick up devices left lying around and check to see if employees are using a lock code. If not, I like to change the language on the device to something other than English and wait and see how long it takes them to come to the office to have their device reset. We then have a review on best practices for security on a mobile device."
Remote Access, Not Data StorageTerrell Herzig, information security officer at UAB Medicine, Birmingham, Ala., advises minimizing use of smart phones and other mobile devices for data storage. Instead, they should be used to remotely access data housed on a secure server, he says. "For example, a device that remotely accesses data on a server through secure encrypted remote control has a lower risk of a data breach than a device that requires data to be moved to its internal storage."
Make Use of EncryptionIf any patient information is stored on the device, it must be encrypted, Cruz stresses. "Devices are lost and stolen all the time," he notes.
Choose the Right DeviceSecurity controls vary widely among smart phones, Herzig says. "Understand the device, how it works, and that it can meet all of the HIPAA and HITECH Act security standards," he stresses. "For example, a device that can only handle e-mail should have an encrypted container security setup that can enforce security compliance. Don't try to force a device to provide a service it was not designed to provide."
Be Careful Choosing Apps"Just because a particular application is available for a device, it doesn't mean it should be downloaded and used," Herzig says. Security staff should verify how the application will work, what integrity controls are in place, how data is transferred and what management capabilities the application supports, he explains.
Keep Track of Your Phone"Keep your device with you at all times, or secure it in a safe place when you are not working," Cruz stresses. "This is the least technical step but probably the first preventive measure in protecting the device and the data contained on it."
Herzig is the featured speaker in an upcoming webinar on securing mobile devices.