Protecting personal electronic health information (ePHI) on personal mobile devices.
Mobile device usage in the workplace can optimize staff communication and workflow. However, organizations must prioritize security and compliance when adopting a bring your own device(BYOD) policy that allows employees to use their personal mobile devices to access corporate data and emails. When electronic PHI (EPHI) is accessed from a multitude of mobile devices, risks of system contamination are significantly increased by a virus introduced from a mobile device used to transmit EPHI.
Forrester Research recently estimated that 78% of all active email users in the United States will access their emails through their mobile phones by 2017. Allowing staff to access corporate data via their personal mobile device may become inevitable. How can a corporation maintain tight security, while permitting their staff to use their personal mobile phones to access corporate data?
Prohibiting corporate email and data from residing on a personal device is the most secure way to manage business data, but this is not always a practical solution. Companies must find a solution that will allow personal mobile devices to access corporate data and minimize the risk of data breaches occurring via these devices due to an inappropriate use.
Below are some of the important factors that companies should consider:
- The communication between a corporate system and the employee’s mobile device must be encrypted.
- Storage within the mobile device must be encrypted and a security method (e.g., password, fingerprint, etc.) should be enforced. The self-wipe feature should be triggered if a user tries unsuccessfully to access the device in excess of a reasonable number of attempts.
- Adopt and implement BYOD policies that only allow permitted devices to access corporate data. As a component of the organization’s compliance plan and program, conduct an annual risk assessment related to effective implementation of BYOD policies.
- Establish an employee exit strategy that enforces the removal of access tokens, email access, data and other proprietary applications and information. Some companies choose to perform a complete wipe of the BYOD-enabled device as a mandatory exit strategy.
- Use features such as automatic screen-locking, location services and remote data erasure capability in the event that the device is stolen or lost.
- Ensure that devices coming offline are adequately secured and checked before disposal, transfer or donation. Don’t permit access to PHI by mobile devices without strong technical safeguards, such as encryption, data segmentation, remote data erasure and access controls.
- Install anti-malware software on a BYOD-enabled device. Key logger malware, Trojans and many kinds of viruses are able to camouflage themselves and pretend that they are authorized users in order to steal corporate data remotely via a smart phone.
- An intelligent gatekeeper application should be deployed within BYOD-enabled devices so that it can secure corporate data. The application should have features to protect against hackers and viruses by keeping the gate secure and a feature that will open the gate only if the combination of a personal key and an authorized key from a remote corporate authority is verified. The company can deny access for lost or stolen devices so that data within encrypted vault will be fully protected even if the personal key is cracked and revealed.
- Adopt tokenization technology to allow access to patient data on an as needed basis. The goal of this strategy is to protect critical patient data through access profiles specific for mobile devices and related applications. Without these proper policies and procedures, your organization may be vulnerable to potential HIPAA privacy and security breaches.
- Purchase adequate cyber liability insurance to protect your organization and the PHI you manage.
Your policy should reflect the key benefits and security concerns for your organization. Ensure the compliance program addresses this technology with ongoing staff education, auditing/monitoring and action plans with improvement opportunities to achieve sustained compliance. If questions arise about how to properly use your solution, your staff should contact their compliance officer or security officer.