HIPAA Encryption: Protecting Patient Data on Tablets & Smartphones

Posted 11.4.13 by
wpadmin
Blog

A guest blog from HITECHAnswers.net lists security tips from HHS.gov to help ensure that patient data is secure in a BYOD (Bring Your Own Device) environment that includes the use of personal devices such as iPhones and iPads in the workplace. One of HealthIT.gov’s tips includes encrypting data stored locally on your mobile device as well as data sent by your device (data at rest and in transit).

While device encryption can provide one layer of defense, if you go a layer deeper, you can ensure the entire IT stack is secured with encryption, hardening your defense against a potential breach. Protect data in transit by using a VPN (virtual private network) and SSL certificates for encrypted data sharing. A HIPAA compliant cloud infrastructure should include built-in, hardware-based encryption that encrypts data as its written to drives. Protecting data stored in a SAN (Storage Area Network) is just as important as protecting data stored on a mobile device.

HHS.gov recommends encrypting data to the NIST (National Institute of Standards and Technology) standards found in their Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices. For mobile devices, they recommend following the guidelines in FIPS PUB 140-2: Security Requirements for Cryptographic Modules.

Other mobile security tips from HHS.gov that can help you achieve a HIPAA compliant policy for BYOD in the workplace include:

  1. Use a password or other user authentication, such as PINS (personal identification numbers) or passcodes to secure your mobile device. Set your device to lock its screen after a set period of inactivity.
  2. Install and activate remote wiping and/or remote disabling that allows you to wipe or disable data stored on your device if it’s stolen or lost.
  3. Disable and don’t install or use file-sharing apps. SFTP (Secure File Transfer Protocol) is one secure way to share files. Many cloud-based file-sharing apps aren’t secure enough for file transfers that include patient health information, including Dropbox and Google Drive.
  4. Install and enable a firewall that can intercept incoming and outcoming connection attempts, as well as block or permit them based on a set of rules. However, HITECHAnswers.net makes a good point that iPhones/iPads can’t have firewalls installed on them unless they’re jailbroken, which is bad practice for mobile security.
  5. Install and enable security software to protect agains virusues, spam and malware – keep software updated with patch management.
  6. Delete stored health information before discarding or reusing the mobile device.

For further guidance on mobile security and an example of a successful healthcare BYOD case study, read our Mobile Security white paper.

References:
Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals
FIPS PUB 140-2: Security Requirements for Cryptographic Modules
HIPAA Security for iPhones

About Otava

Otava provides the secure, compliant hybrid cloud solutions demanded by service providers, channel partners and enterprise clients in compliance-sensitive industries. By actively aggregating best-of-breed cloud companies and investing in people, tools, and processes, Otava’s global footprint continues to expand. The company provides its customers in highly regulated disciplines with a clear path to transformation through its effective solutions and broad portfolio of hybrid cloud, data protection, disaster recovery, security and colocation services, all championed by an exceptional support team. Learn more at www.otava.com.

Get started with Otava now!

  • This field is for validation purposes and should be left unchanged.