Nearly all healthcare organizations use mobile devices such as phones, laptops, and tablets in their practice. While mobile devices can increase efficiency and help you better serve patients, they also open your practice up to some serious vulnerabilities. If these devices aren’t properly secured, patched, and updated, private patient information could be put at risk. Unsecure devices also mean that you are not HIPAA compliant, which can lead to hefty fines if you are audited.
Risks of mobile devices in healthcare
They are easy to pick up and pocket. And they are easy to leave sitting around, just waiting for someone to walk by and swipe. Then, before you know it, the device is out the door and gone, probably full of private patient health information. Also, many healthcare providers will bring devices home with them or on trips where they can easily become lost and picked up by the wrong person.
Many healthcare providers don’t use passwords on their devices. This is the most basic security method, yet one that is often neglected. However, once the device is in the hands of a bad guy, there’s no stopping him from accessing data. A password can at least slow him down.
Emails and information typically aren’t encrypted. HIPAA requires that certain data must be encrypted when it is being transmitted and stored. Often with mobile devices, healthcare providers don’t have the necessary tools and expertise in order to encrypt this data. Once again, if a cybercriminal accesses the mobile device (physically or remotely) and the data is not encrypted, he will be able to easily steal it.
They can contain patient health information, which is extremely valuable to cybercriminals. Once health information is stolen, it is usually sold on the dark web - basically the black market of the internet. Today, health information is more valuable than credit card data, social security numbers, passwords, etc. This is because buyers of the data can use it to steal someone’s identity and receive medical care. The bill will go to the actual patient. If someone needs a $30,000 surgery and they don’t have health insurance, it can be a lot cheaper to purchase a stolen identity on the web.
Sometimes doctors bring and use their own mobile devices (BYOD). When doctors bring their own devices, they are using them for both work and for personal reasons. This mean there is a mixture of apps on the device (some secure and some maybe not). It means that device does not have security regulations in place such as encryption and antivirus. And it means that other people at home (such as kids) are playing with the device. None of this is HIPAA compliant.
How to secure mobile devices in healthcare
Don’t implement BYOD. If you can help it, you should avoid allowing doctors, nurses, and whoever to bring their own mobile devices. If employees are using their own smartphones, you will not be able to control what apps they download and where that phone goes in their free time. You should only use company devices that (in general) don’t leave the premises).
Don’t connect devices to unsecured Wi-Fi. It is way too easy for hackers to access devices that are connected to public Wi-Fi. Instead, mobile devices should be connected to a wireless network (WPA2) that is created for them specifically. If you must connect to public Wi-Fi always use a virtual private network (VPN) so cybercriminals can’t intercept information.
Always update the devices and apps with the latest versions of software. When vulnerabilities in software become known, hackers will start using them “in the wild.” Each update and security patch for operating systems and apps will cover up those vulnerabilities. That’s why it is important to regularly update devices.
Be careful about which apps you download. Some apps are important for use by healthcare professionals and others are downright malicious. Just because it has made it into the app store, doesn’t mean it’s safe to download. However, apps that are in official app stores such as Google Play and iTunes have gone through a more rigorous screening process. No matter what, you should carefully research apps before downloading and be sure to only download what you absolutely need. Less is more.
Always use a password. It may seem basic but it is often overlooked. All devices need a strong password or PIN number so if they fall into the wrong hands, they are more difficult to break into. Mobile devices should also be set to lock after a certain amount of inactivity.
Install and/or enable encryption. Encryption basically makes data unreadable by prying eyes. It protects private information that is being stored or sent on a mobile device. Some devices have encryption capabilities built in that simply need to be enabled. Other devices do not and you will need to purchase additional software. Either way, this is a HIPAA requirement and you will find yourself in violation if you do not employ encryption.
Disable and do not install file sharing apps. File sharing applications such as Dropbox allow users to copy data and upload it to the cloud and outside of the control of the healthcare organization. It’s too easy to cause a data leak with this type of app so it is best to avoid them altogether.
Install the ability to remotely disable or wipe the device. Worst case scenario: the mobile device gets stolen or lost. You need to ability to disable or wipe the device, even from afar. Some programs allow you to only delete certain data and some allow data to be automatically deleted after a certain amount of login attempts.