Smartphone and tablet users must have certain security precautions in place.

Gary Glover, Director of Security Assessments
By: Gary Glover
This article was also featured in For the Record: “Take Steps to Ensure Mobile Device Security

Managing security in the face of new HIPAA regulations is truly a challenge. But managing patient data on a mobile device?
Consider this scenario. A physician with a small practice downloads electronic protected health information (ePHI) to his personal tablet. He doesn’t have a mobile security policy, but does try his best not to lose the device. He downloads a flashlight app but isn’t aware it contains malware. Several months later, he is surprised to learn his patient records have been compromised, and the forensic traced the breach back to his tablet.

Many healthcare organizations are in the dark about the regulations they’re required to follow, and can’t state with certainty they are in compliance. In fact, only 18% believe healthcare requirements specify the protection of regulated data on mobile devices.
Some falsely assume because mobile devices are technologically advanced and marketed as ‘secure’, PHI will automatically be protected.
Because some encryption is considered safe harbor under the HIPAA Security Rule, others rely solely on device encryption, without fully understanding its implementation.

SEE ALSO: Securing Mobile Devices with Mobile Encryption

The risks of using a mobile device

Loss and theft aside, there are many other ways a mobile device could be harmful to PHI. Other risks include lack of authentication, mobile malware, unsecured Wi-Fi networks, outdated operating systems, and accidentally disclosing data by sharing the mobile device with friends, family, or coworkers.

No matter the type of technology a healthcare provider uses, they are obligated to protect PHI. If a smartphone or tablet is used to access, transmit, receive, or store information – it must have certain security precautions in place.

SEE ALSO: Securing Healthcare Mobile Devices

What you need to know about passcodes

According to Manhattan Research, 62% of doctors use tablets and smartphones for professional purposes. It may be convenient to use mobile devices as portable computers to access records at all times, but professionals must not allow convenience to overcome security.

While it’s true that enabling a four-digit passcode will prevent patients waiting in exam rooms from getting into an unobserved office tablet, they do little to keep a hacker from accessing PHI. Technically, a four-digit password would only take 10,000 tries to crack. Choosing a longer password and enabling the setting that wipes your device of data after 10 failed passcode attempts will help avoid this problem.
In a best practice scenario, mobile device passcodes should be 8 characters or more, contain alphanumeric and special characters, and not contain dictionary words (such as nurse1 or ilovebaseball). Both Android and iOS devices have the option to bypass the typical four-digit pin and choose to implement these complex alphanumeric passcodes via a simple device setting change.

SEE ALSO: HIPAA Compliant Passwords

The truth about mobile encryption

Encryption is an addressable implementation specification under the Technical Safeguards of the Security Rule. If someone hacks into a device, encryption renders files useless by masking them into a useless string of indecipherable characters.

Many have heard about the encryption safe harbor rule which generally states if an encrypted device is lost, the organization isn’t required to notify the HHS of a security breach. HIPAA rules may not always state specifics surrounding regulations, but often cite ‘industry best practices’ as the standard by which they determine HIPAA compliance.

Although HIPAA regulations don’t specify the encryption that falls under safe harbor status, industry best practice would be to use AES-128 or Triple DES encryption (or better). I greatly encourage mobile encryption, but I urge you to remember it’s not a failsafe…after all, most mobile devices aren’t equipped with safe harbor-qualified encryption.

For example, Apple’s Data Protection API only encrypts the built-in mail app on iPhones and iPads, and only after you enable a passcode. Encryption does not apply to calendars, contacts, texts, or anything synchronized with iCloud. Some third party apps that use Apple’s Data Protection API are also encrypted, but quite rare.

Keep in mind that encryption is only as secure as the device’s passcode. If someone were to jailbreak your mobile device, information protected by the Data Protection API would remain encrypted only if the thief didn’t know the decryption key. Android’s encryption program works similarly, requiring a password to decrypt a mobile device each time it’s unlocked. Additionally, if you backup your mobile device on your hard drive, ensure the backups are encrypted.

Though encryption on mobile devices doesn’t necessarily meet HIPAA best practice recommendations, there are still other options for further securing a mobile device.

Ensure employees actually follow security policies

Does your organization have a mobile device use policy? If so, are you following it? If your organization allows BYOD, is each staff member required to register his or her mobile device?

In every industry, employees accidentally or purposefully put regulated data at risk. More than 75% of employees are believed to circumvent or disable security features on mobile devices that contain regulated data. It's important for an organization to develop and implement appropriate mobile security policies.

Here are some items HIPAA mobile security polices should address:
  • Mobile password length requirements
  • Procedure to enable available mobile encryption on all devices
  • ePHI storage and access procedures
  • Stolen/lost device procedures
  • BYOD procedures
  • Noncompliance accountability

Ensure your organization isn’t one that creates policies only to forget them. Regular policy training is an important part of HIPAA mobile security, and helps your employees remember organizational guidelines.

Update your operating system and apps

Older operating system and app versions tend to have errors and older encryption implementations, and are likely not considered ‘best practice’ by the HHS. Just like computers, mobile devices must be patched often to eliminate any software or hardware vulnerabilities found after initial release.

It’s important to note that updates must occur to each app installed on the device. If just one insignificant app that doesn’t even touch ePHI is vulnerable, cybercriminals might be able to exploit a vulnerability of that app and gain access all the data on your device.

Luckily for healthcare employees, updating mobile device OS and software is often simple and doesn’t take a lot of time.


Your best, most secure option

Configuring a mobile device to be dedicated for healthcare office use only is a great option to secure a smartphone or tablet. That means the ability to install apps, connect to the Internet, access device settings, and make or receive calls is disabled. When the device is on, it’s dedicated to a single app used to access patient data.

Another solution for HIPAA compliance is not to store sensitive patient data on your phone or tablet at all by only accessing data stored on other secure systems. Sensitive data could be stored on a private back end server and a mobile device could be used to access or display that sensitive data. This solution has fairly low risk if the server is connected to the secure internal network and not exposed to the public Internet.

If you need access on a mobile device while outside your organization’s network, use an encrypted virtual private network (VPN) to create a secure tunnel back into the internal network. Unless an attacker has the correct credentials to connect to the VPN, data remains protected.

SEE ALSO: Understanding the HIPAA Application of Firewalls

It’s also good practice to download a mobile vulnerability scanning app to your mobile device. While not foolproof, a mobile vulnerability scanning tool is an easy way to search for common vulnerabilities found on mobile devices for quick remediation, and discover if your device is rooted.

Mobile PHI security is your responsibility

Protecting and securing health information while using a mobile device is a healthcare provider’s responsibility. Protecting mobile PHI should be part of a risk management plan that every healthcare entity should annually accomplish. HIPAA compliance vendors can help those struggling with the resources it takes to create and maintain a HIPAA risk management plan.

Let me know what you think about mobile security in healthcare by commenting below!

Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.