In 2013, more than 6.9 million patient records were compromised as data breaches took place across the United States. According to report issued by Redspin, more than a third of the incidents were due to unintended data loss, misplacement of mobile devices containing unencrypted data and theft of laptops containing sensitive information without encryption. More than 800 breaches have been listed on the US Department of Health And Human Services since the Healthcare compliance– HIPAA breach notification rule became effective from September 2009. Furthermore, according to Government Health IT, over 60% of US healthcare institutions reported data-loss-security related incidents leading to over $ 1.5 billion in fines, in 2013 alone.
Healthcare institutions are required to take a proactive coach in the highly regulated healthcare industry. An excellent first line of defence includes implementing fundamental data protection security measures, such as installing and enabling encryption on data files and classified documents; this alone could have cut down data breaches in 2013 by more than 25%. However, safeguarding mobile devices that contain electronic protected health information (ePHI) calls for more than just simple data security, according to the recommendations laid down by mobile device privacy and security of the HIPAA security rule.
To meet the compliance demands of HIPAA and avoid data loss incidents on mobile devices, it is highly recommended that healthcare institutions examine data hazards, recognise points of a possible data loss in advance and implement stringent actions to safeguard patient information. Firstly, healthcare institutions must identify how ePHI should be used on mobile devices in order to analyse data risks. By comprehending different ways of how users will avail, accumulate or communicate ePHI is the first step in protecting data.
The U.S. Department of Health and Human Services (HHS) recommends the following points to secure ePHI on mobile devices. These include:
- Using a strong password – HHS lays down guidelines on employing strong passwords with at least six characters in length including a sequence of keyboard characters, numbers, as well as upper and lower case letters. Third-party tools can help in utilising configuration profiles to instinctively enforce pass code policies on devices. Based on the organisation group, mobile device model, operating system, ownership and other attributes, administrators can assign specific configuration profiles to such devices. Moreover, it is strongly recommended that passwords be changed periodically and with the help of robust third party encryption tools, administrators can also set expiration of passwords that require users to reset passcodes spontaneously after a specific time period. It is also strongly recommended that the device be set to an automatic log off or a time out so that in the event the device is misplaced or stolen, it would require the precise passcode to use or unlock the device. Third-party tools can ensure that administrators determine a maximal number of unsuccessful attempts, which would further allow them to set a number of failed passcodes log-ins allowed before the device wipes out all the data. Through the use of robust encryption, dual authentication can also be enabled by administrators. For instance, one passcode entry would be needed to unlock the device while another pass code would be required to access the data.
- Installing and enabling encryption – Once pass code requirements have been created, encryption needs to be installed and enabled as the next logical step. Mobile devices containing classified data or patient information should be protected with government-grade FIPS 140-2 encryption according to HHS recommendations. Third-party encryption solutions can help in safeguarding data while in motion and at rest with the help of robust data security and document containerization technologies. Encryption tools and solutions can also empower administrators to leverage resident encryption features that are incorporated into the operating systems of mobile devices. Furthermore, with the help of compliance engines, administrators can ensure that device level encryption is always on through continuous monitoring and pre-set policies.
With the help of data security procedures and encryption policies, healthcare institutions will be able to understand how users are making use of their devices with regards to organisational data as well as sensitive and classified content and applications. Doing so can help discern vulnerable areas in mobile security and ascertain that users are making the most of the secure encryption and security procedures.