Securing PHI on Laptops and Other Portable DevicesAugust 01, 2016, 01:37 PM
The U.S. Department of Health and Human Services (HHS) is ramping up enforcement when it comes to the security of protected health information (PHI) on portable devices, including laptops, cellphones, tablets, thumb drives, etc. With an increase in portable device use by physician practices and other healthcare providers, it is now more important than ever to ensure that patient health information is protected and secure. Recently, the HHS Office for Civil Rights reached a $2.5 million settlement with CardioNet, Inc. after an employees laptop, containing PHI for nearly 1400 individuals, was stolen. CardioNet, an ambulatory cardiac monitoring service, is regulated as a covered entity under HIPAA. Through their investigation, HHS discovered that CardioNets security risk policies were insufficient, especially in regards to PHI on portable devices. The corrective action plan required CardioNet to certify that all laptops and portable devices were encrypted and to describe that process, illuminating the vital role that encryption and other security measures have in safeguarding against PHI security breaches. While HHS urges against storing PHI on portable devices, HHS has compiled a list of best practices for ensuring that PHI remains protected and secure when portable devices must be used.
- Install and enable encryption to protect health information stored or sent by portable devices. When a device containing PHI is lost or stolen, it only qualifies as a breach if the information is unsecured. Encryption solves this issue by securing the information, rendering it unusable, unreadable or indecipherable to unauthorized persons. Encryption is the conversion of data into a form that cannot be read without a decryption key or password and it works to protect information against unauthorized users. Although encryption is currently not mandatory under the HIPAA Security Rules, encryption is vital to preventing PHI breaches and has become an industry-standard protection.
- Use a password or other user authentication. A password or other user authentication is an individuals first line of defense against unauthorized users. All portable devices should require a password or other user authentication before granting access to the device.
- Install and activate remote wiping and/or remote disabling to erase the data on your portable device if it is lost or stolen. Remote wiping is a security feature that enables an individual to remotely erase the data on a portable device if it is lost or stolen. Similarly, remote disabling allows an individual to remotely lock or disable a device if it is lost or stolen. Both remote wiping and remote disabling are valuable security tools when activated.
- Disable and do not install or use file-sharing applications. File sharing allows individual Internet users to connect to each other and trade files, thereby enabling others to access ones laptop or device unknowingly. By disabling file-sharing, the risk of unauthorized access to private information is greatly reduced.
- Install and enable a firewall to block unauthorized access. A firewall can help protect against unauthorized access to health information and increase portable device security by intercepting and blocking suspicious connection attempts.
- Install and enable security software to protect against malicious applications, viruses, spyware, and malware-based attacks. Oftentimes, malicious software is introduced to a portable device through email attachments and downloadable programs. A virus, spam, and malware are often brought onto a portable device covertly and can cause problems with the operation of a device and its security. An individual can install security software to protect against such intrusions.
- Keep your security software up to date. By keeping ones security software current, an individual stays protected against the ever-changing security risks and threats to portable devices.
- Research portable applications before downloading. Ensure any downloaded applications do not compromise the portable devices stored data.
- Maintain physical control of your portable device. One of the best ways to avoid theft or loss of a portable device is to keep the device with you or to physically secure the device. By doing so, an individual can prevent tampering or unauthorized use of the device.
- Use adequate security to send or receive health information over public Wi-Fi networks. When sending or receiving health information over Wi-Fi networks, an individual should only use secure Wi-Fi connections that utilize passwords and secure encryption methods to safely transmit data.
- Delete all stored health information on your portable device before discarding it. To ensure security and protection of health information from unauthorized access, software tools should be used to thoroughly delete any PHI stored on a device before it is discarded or reused.
Kaufman & Canoles remains available, even on short notice, to assist with your HIPAA compliance matters. In the event of a potential breach of protected health information, or if you have any questions about encrypting your devices or utilizing any other security measure, contact our Health Care Practice Group or Data Privacy and Security Practice Group. *A special thanks to Summer Associate Megan Italiano for assisting with the research for and preparation of this alert.