HHS Offers Mobile Device Security TipsOfficials Also Stress Value of Annual Risk Assessments
As part of an ongoing effort to help prevent data breaches, the Department of Health and Human Services has unveiled a new online education resource to help healthcare providers protect the security and privacy of data on mobile devices.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
In announcing the new resource Dec. 12, federal officials also stressed the importance of conducting frequent risk assessmentsthat address mobility and other emerging technology issues.
"One of the most important things we're doing is working with small practices to just not make them aware that risk assessments need to be done ... but that risks also need to be mitigated," said Farzad Mostashari, M.D., who heads the Office of the National Coordinator for Health IT. His comments came at ONC's annual meeting in Washington.
The new resource is a joint effort of ONC and the Office for Civil Rights; both are HHS units.
"Lost and stolen mobile devices are the frequent cause of breaches," said Kathryn Marchesini, an adviser in the ONC's office of the chief privacy officer. That's why it's so important to offer healthcare organizations guidance for safeguarding the data on the devices, she said.
Leon Rodriguez, OCR, director, noted: "We know that healthcare providers care about patient trust. The mobile device resource gives common sense tools to keep health information from falling into the wrong hands."
Smaller physician practices are among the healthcare providers most in need of resources to help them navigate the way to protect patient data, he added. "We want to make sure we're reaching those smaller providers."
Mobile Security Tips
The resource includes tips for securing mobile devices, frequently asked questions, videos depicting common risk scenarios and five steps for protecting mobile data. Those five steps are:
- Decide whether mobile devices will be used for patient data;
- Assess risks and vulnerabilities;
- Identify mobile risk management strategy, privacy safeguards and security;
- Develop, document and implement mobile device and security policies;
- Train staff.
The resource offers insights on protecting patient information when using a public Wi-Fi network; backing up data stored on mobile devices; installing remote-wipe capabilities on devices; and using mobile devices to securely communicate with patients.
While the new educational resource might prove most helpful to smaller organizations, the material is relevant to all healthcare providers because breaches involving lost or stolen unencrypted mobile devices have occurred at a wide variety of organizations, affecting millions of individuals, Rodriquez said.
Most of those breaches are "not about technology failing, they're about people failing," he added.
Based on OCR's breach investigations and an analysis of 20 of the 115 HIPAA compliance audits conducted this year, the most common deficiency is the lack of a thorough and timely risk assessment, Rodriguez said. "The single thing that bubbles up is risk analysis. That's a consistent deficiency."
How frequent should HIPAA-compliant risk assessments be conducted? "Once a year is a good rule of thumb," Rodriguez said. Annual assessments should carefully consider new technologies implemented and the risks they pose, he stressed.
In addition to outdated or missing risk assessments, OCR has discovered in its investigations and audits that organizations often lack formal privacy or security policies and procedures, Rodriguez said. In some cases, when auditors ask to see an entity's policies and procedures, they are presented with documents that were downloaded from the Internet and "printed the day they got the letter about being audited," he added.
In his presentation, Rodriguez re-affirmed that the HIPAA compliance audit program will continue beyond the 2012 pilot, but he didn't reveal details of how it will proceed. Funding of the program will be through penalties that OCR is collecting for HIPAA non-compliance. "We put the recovery [money] right back into the program," he said.