practice guidelines for managing health information
Mobile Device Security (Updated)
Editor’s note: This brief supersedes the June 2003 and October 2000 practice briefs “Portable Computer Security.”
MOBILE DEVICES HAVE pervaded the everyday work environ- ment in healthcare. An organization may use mobile devices to improve clinician workflow, bedside information gathering and reporting, or a host of other care delivery applications. In some cases, individuals may use their own mobile devices to meet heir personal workflow requirements. Whatever purpose the device serves, healthcare organizations must be prepared to understand all the issues related to mobile device use. This practice brief reviews the legal and regulatory require- ments that affect mobile device use in healthcare. It also pro- vides best practices for ensuring appropriate safeguards are
in place to protect all electronic protected health information
(ePHI) used and processed within mobile devices.
Mobile Device Risks
Mobile devices come in a variety of forms, processing capabilities, and wireless accessibility. These devices include, but are
not limited to, laptop computers, smart phones, USB thumb
drives, external hard drives, tablet computers (e.g., iPad, Motorola Xoom), and even e-readers like the Kindle or the Nook.
Deploying mobile devices within a healthcare organization
can pose several risks. Although mobile devices often contain sufficient storage space to easily accommodate massive
amounts of ePHI, they are produced for consumer use and seldom incorporate technology to allow the device to be managed
within a corporate “enterprise” IT environment. Consumer devices lack the inherent security and operational controls to enable management of the device from a centralized system. As
a result, incidents can arise from not being able to adequately
detect, manage, or provision and de-provision the device.
In addition, mobile devices are easily lost or stolen and thus
pose increased risks to the confidentiality and security of patient health information. Loss or theft of a device could easily result in the need for patient breach notification and subsequent
reporting to the Department of Health and Human Services and
media as required under the American Recovery and Reinvestment Act.
Mobile Device Legal and Regulatory Requirements
When deploying and using mobile devices, organizations and
providers must review the following legal and regulatory requirements in order to remain compliant.
HIPAA
HIPAA requires that protected health information (PHI) be safeguarded against threats to security, integrity, and unauthorized
use.
Section 164.310 includes several references to workstations. It
specifically requires that a covered entity “implement physical
safeguards for all workstations that access ePHI to restrict ac-
cess to authorized users” and “policies and procedures that gov-
ern the receipt and removal of hardware and electronic media
containing ePHI into and out of a facility as well as the move-
ment of these items within the facility.”
HIPAA also mandates that covered entities implement poli-
cies and procedures addressing the “final disposition of ePHI
and/or the hardware or electronic media on which it is stored”
and the “removal of ePHI from electronic media before the me-
dia are made available for re-use.”
In addition, it requires covered entities “maintain a record of
the movements of hardware and electronic media and any per-
son responsible therefore” and “create a retrievable, exact copy
of ePHI, when needed, before movement of equipment.”
Section 164.312 mandates that a covered entity “implement
technical policies and procedures for electronic informa-
tion systems that maintain ePHI to allow access only to those
persons or software programs that have been granted access
rights as specified in the ‘administrative safeguards’ section”
(164.308). To do this, a covered entity must initiate four imple-
mentation specifications:
x Unique user identification (required): the entity must “as-
sign a unique name and/or number for identifying and
tracking user identity”
x Emergency access procedure (required): an entity must
“establish (and implement as needed) procedures for ob-
taining necessary ePHI during an emergency”
x Automatic log-off (addressable): the entity must “imple-
ment electronic procedures that terminate an electronic
session after a predetermined time of inactivity”
x Encryption and decryption (addressable): the entity must
“implement a mechanism to encrypt and decrypt ePHI”
as needed
ARRA and HITECH
The Department of Health and Human Services’ interim final
rule for breach notification of unsecured protected health infor-
