HIPAA Compliant Recommendations to Securing ePHI with Mobile Devices

Posted 11.14.13 by
wpadmin
Blog

The Dept. of Health & Human Services has a HIPAA security guide outlining their recommendations for securing ePHI (electronic protected health information) on mobile devices, including remote access. The HHS covers ePHI in a variety of instances ranging from accessing, storing and transmitting data.

Their format presents a potential risk, then the technical, administrative or physical security recommendation to prevent said risk. Below I’ve summarized their guide to highlight some of the top pointers along with some additional technical info:

Accessing ePHI
Risk: Password or user login info was lost or stolen, resulting in either unauthorized access or viewing/modification of ePHI.
How to Mitigate:

  • Implement two-factor authentication for remote access to systems containing ePHI. Secure and encrypted remote access can be achieved with a combination of SSL certificates, VPNs (Virtual Private Networks) and two-factor authentication that requires a secondary factor for access (i.e., push notifications and passcodes authenticated by your personal phone).
  • HHS also recommends using RADIUS (Remote Authentication Dial-In User Service) or other similar tools to support a technical process to create unique usernames and to perform authentication for remote access.

Risk: Systems infected by an external device with the intent to gain remote access to systems housing ePHI.
How to Mitigate:

  • Install firewalls on laptops that store, access or are connected to networks with ePHI
  • Install and maintain antivirus software/updates on portable or remote devices that access ePHI

Storing ePHI
Risk: Laptop or other portable device is lost or stolen, allowing unauthorized access or modification to ePHI.
How to Mitigate:

  • Take inventory of hardware and electronic media, including hard drives, magnetic tapes or disks, digital memory cards, security equipment, etc.
  • Ensure security updates are regularly deployed to smartphones and other portable devices
  • Require that all portable or remote devices that store ePHI employ encryption with strong cryptography – another way to keep ePHI secure is to keep the data off of devices and stored in HIPAA compliant data centers, with strong access controls.

Risk: Using an external device to access corporate data, resulting in the loss of critical ePHI on the remote device.
How to Mitigate:

  • Ensure backups and archived media are encrypted with strong cryptography
  • Offsite backup is essential to keeping data secured in a physically and logically secure data center, and available in the event a device is lost with ePHI on it

Transmitting ePHI
Risk: Data intercepted and stolen, or modified during transmission.
How to Mitigate:

  • Don’t allow transmitting of ePHI over the Internet or other open networks
  • Use more secure connections for email via SSL and the use of message-level standards such as S/MIME, SET, PEM, PGP etc.
  • Use strong encryption for transmitting ePHI. The HHS states that SSL should be a minimum requirement for all Internet-facing systems that manage ePHI.

Related Articles:
HIPAA Encryption: Protecting Patient Data on Tablets & Smartphones
A guest blog from HITECHAnswers.net lists security tips from HHS.gov to help ensure that patient data is secure in a BYOD (Bring Your Own Device) environment that includes the use of personal devices such as iPhones and iPads in the … Continue reading →

Overcoming Healthcare CIO Challenges with Secure & Scalable HIPAA Hosting
McKesson’s Understanding Your CIO article catalogues a list of statistics derived from surveys, polls and interviews of healthcare CIOs. It’s a very informative snapshot of the position’s latest responsibilities and concerns as the healthcare IT landscape rapidly evolves due to … Continue reading →

2013 Mobile Security: BYOD Resource Roundup
Here’s the best of mobile security from 2013, including articles, white papers, previously recorded webinars and more that explain mobile health IT (mHealth) data security and how to prevent compromised data in your organization. Online Tech is also headed to … Continue reading →
References:
HIPAA Security Guide for Remote Use (PDF)

About Otava

Otava provides the secure, compliant hybrid cloud solutions demanded by service providers, channel partners and enterprise clients in compliance-sensitive industries. By actively aggregating best-of-breed cloud companies and investing in people, tools, and processes, Otava’s global footprint continues to expand. The company provides its customers in highly regulated disciplines with a clear path to transformation through its effective solutions and broad portfolio of hybrid cloud, data protection, disaster recovery, security and colocation services, all championed by an exceptional support team. Learn more at www.otava.com.

Get started with Otava now!

  • This field is for validation purposes and should be left unchanged.