Christopher Ryan, Esq.
Giarmarco, Mullins & Horton, P.C., Troy, MI
The creation of the Medicare/Medicaid Electronic Health Record (EHR) Incentive Program (commonly known as the “Meaningful Use Program”) gave providers and hospitals a strong incentive to integrate EHRs into their practices. As part of their EHR system, many providers are using mobile devices such as laptops, tablets and smartphones. If used properly, these devices allow access to patients’ EHRs from anywhere that a Wi-Fi connection (or cell phone signal) is available. This often results in quicker responses to questions from patients, families and other providers. While the use of mobile technology has benefits, providers choosing to utilize this technology must pay special attention to making sure they do so in a manner that conforms to their group or facility’s security policy and protects the privacy of the information.
This article will outline some of the various mobile security tools and internal policies providers can implement to aid in protecting their patient’s EHRs and avoid an expensive HIPAA security breach.
Draft a Mobile Use Policy
Providers should develop and implement a mobile use policy, or include specific provisions in their security policy regarding mobile use. To develop a mobile use policy, the organization must first decide whether it will allow its employees to access EHRs via a mobile device. Assuming this will be permitted in some fashion, the group must consider whether physicians and other providers will be permitted to use their personal mobile devices, or whether only “provider owned” devices will be permitted to access secure information. Those driving organizational policies should also contemplate whether all mobile devices are permitted to access EHRs or whether access will be restricted to certain types of technology. For example, a hospital or provider group may decide that laptop computers are permitted to access EHRs, but tablets and mobile phones are not. Providers may also want to implement some of the various specific suggestions contained in this article. After an effective policy is drafted, the organization should train its employees on the provisions of the policy and how they can achieve compliance with the same.
Follow Your Organization’s Policy
Reading and complying with the group’s or facility’s policy is the number one step care providers should take when implementing mobile technology and choosing which mobile security techniques to utilize. A group’s or facility’s policy may contain specific requirements that are not discussed or that differ from the items outlined in this article. Questions concerning a group’s or facility’s policy, or how to best secure a mobile device, should be directed to the group’s or facility’s Security Officer. Depending on the type of mobile device a provider intends to use, the manner in which the EHR is accessed, and the software the group or facility uses to store the EHRs, some of the items outlined below may not be applicable to all providers. The Security Officer will assist the provider in making sure they are using mobile technology in a manner that is compliant not only with the HIPAA Security Rule, but also with the laws applicable in their specific jurisdiction.
Keeping mobile devices physically secure is the most obvious type of mobile security. Because mobile devices are, by definition, “mobile,” they are easily stolen or misplaced. While nobody can completely prevent their mobile devices from being stolen, everyone can take steps to decrease the likelihood of a theft. Instead of leaving a laptop on the back seat of a car, providers should consider locking it in the trunk or not leaving it in a car at all. Do not leave a tablet sitting on the table at the coffee shop; instead, bring it with you when you get a refill of your coffee. If a provider uses their cell phone to access patient information, they should not let their child borrow it on the weekend. Finally, if it is utilized in public areas, providers should consider protecting the screen of their mobile device from being viewed by unauthorized individuals by using a privacy filter.
Simply having a password to gain access to mobile devices is not enough. Providers need to make sure that they choose unique passwords that are not easy to guess. Studies have suggested that the most common passwords include “123456,” “password” and “iloveyou.” Common categories of passwords include using your telephone number, spouse’s name or pet’s name. These common passwords should be avoided because they are relatively easy to guess. Instead, providers should use a password that is easy for them to remember, but hard for unauthorized users to guess. Generally, passwords should be at least six characters in length, and should include upper and lower case letters, one or more numbers, and one or more characters such as “!”, “#” or “@.”
Providers should also remember that by using the same password for multiple accounts, they gain access to all accounts. Therefore, unique passwords should be used for each piece of software that allows access to EHRs. Also, changing passwords frequently, and never storing passwords in unsecure locations, are also advisable. For example, placing a sticky note on a laptop that says, “Password: ComMun!que2013ABC” renders an otherwise strong password virtually meaningless.
Auto-Logoff or Timeout
Most, if not all, mobile devices have built-in features that automatically log the user off (or lock the device) after a set amount of inactivity. Providers should turn this feature on, and they should require a password to be entered in order to “wake” the device.
Saving Information Locally
Information may be stored on the mobile device itself, or it may be accessed remotely. The benefits of storing information remotely (i.e., not storing information on the device itself ) is that the information is more likely to be up-to-date and require additional authentication to access the information beyond simply having access to the device. Some organizations may choose to allow providers to store information locally on the device so that it can be accessed at any time without a connection to the internet. Having locally stored information means that if the provider’s mobile device is lost or stolen, an unauthorized user may be able to obtain patient information with greater ease. (See “Remote Wipe” below). If information is stored locally, providers should be sure to frequently back the information up to a secure server. Doing so means that if your device is misplaced or stolen, the information will not be lost.
Many mobile devices contain a feature that allows the owner to erase the memory or hard drive of the mobile device remotely in the event it is misplaced or stolen. Check with your device’s manufacturer to learn more about whether your device contains this feature, and if it does, make sure it is set up and ready to be activated. If it does not, talk to your Security Officer and consider investing in software that allows this capability.
A firewall is a tool that monitors incoming and outgoing activity and blocks certain transmissions according to the user’s specifications. For example, a firewall may be programed to prevent file sharing. Virus scanning software is designed to identify potentially harmful files and quarantine or delete them, as necessary. Both of these tools should be utilized by providers and kept up-to-date.
Where to Go for More Information
Utilizing mobile devices in a medical setting improves patient care by allowing physicians and employees to quickly access patient information from anywhere. In the event a mobile device is stolen or misplaced, or if a provider feels their mobile device’s security may have been compromised, they should immediately contact their organization’s Security Officer. Providers can also visit www.healthit.gov for more information about implementing health information technology, or contact a qualified attorney.