A Primer On HIPAA Compliance For BYOD

Posted on June 13, 2013 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Here’s a statistic that caught me off guard: according to IDC Healthcare Insights, clinicians on average use 6.4 mobile devices in a day. That stat, courtesy of HIT Consultant, underscores the need for a smart and thorough security policy for clinicians who use their own devices at work.

Increasingly, healthcare organizations are crafting security policies for BYOD, but they vary greatly in how much such devices are allowed to access the hospital network, which hospital applications they can access and which devices can access the Internet, HIT Consultant notes.

However, according to Andrew Shearer, CTO at Care Thread, there’s some do’s and don’ts which should be common to all BYOD programs. Here’s some thoughts from Shearer, below.

DO:

Make sure your vendor and its sub-vendors are compliant with the new HIPAA Omnibus requirements

Be aware that under the new rules, HIPAA requirements now extend to business associates of entities that receive  protected health informatoin, such as contractors and subcontractors. Also new, not only vendors to healthcare organizations required to have business associate agreements, vendors must also hold BAAs with their sub-vendors.

Use two levels of security when users login to enterprise applications

Shearer recommends using Active Directory for the first level, allowing providers to use their hospital login credentials.  The second stage, he suggests, is to use a separate PIN for quick access to mobile apps which are in use, one which should disconnect when it goes idle.

Have the ability to remotely wipe a device if it is missing

This isn’t required by HIPAA, but it’s still an essential part of a strong mobile/BYOD security management program. Be prepared to do anything from deleting data in selected folders to turning the device into a brick (removing all programming or returning it to factor settings).

DON’T:

Allow PHI to be written to the mobile device

While it’s very common for clinicians to use mobile messaging apps to share patient information, such sharing is generally not HIPAA-compliant, Shearer notes.  In his view, the ideal healthcare communication app should allow access to messages and PHI only when the use is logged in.

Permit integration with insecure file-sharing / hosting services

Cloud-based hosting and file-sharing services like Evernote and Dropbox are very popular, but they’re not HIPAA compliant. To be HIPAA compliant, organizations must use multiple security protocols, including physical security, technical security in PHI storage and user authentication.

Ignore security updates

Make sure you do periodic audits of mobile devices to make sure any that transmit work-related information meet regulatory standards. Also, make sure apps on mobile devices are up to date, as older versions may not meet current security threats.