Smart Phones: Six Security Steps

Patient Privacy Protection is Essential
Smart Phones: Six Security Steps
As more clinicians rely on smart phones, security professionals are scrambling to make sure that patient privacy is adequately protected.

The risk of data compromise is escalating as more physicians, nurses and others use mobile devices, says Ilene Yarnoff, a principal at Booz Allen Hamilton. That's why it's so important to provide education on compliance with HIPAA and other regulations before enabling caregivers to remotely access patient information via smart phones, she stresses.

Two security experts offer six smart phone tips:

Lock the Phone

"Always use a lock code on your smart device," advises Fred Cruz, IT director at American Hospice, Jacksonville, Fla., which allows its home health aides to use smart phones for certain purposes. Some devices have a wipe feature if you enter the code incorrectly after several tries, he notes.

"I like to pick up devices left lying around and check to see if employees are using a lock code. If not, I like to change the language on the device to something other than English and wait and see how long it takes them to come to the office to have their device reset. We then have a review on best practices for security on a mobile device."

Remote Access, Not Data Storage

Terrell Herzig, information security officer at UAB Medicine, Birmingham, Ala., advises minimizing use of smart phones and other mobile devices for data storage. Instead, they should be used to remotely access data housed on a secure server, he says. "For example, a device that remotely accesses data on a server through secure encrypted remote control has a lower risk of a data breach than a device that requires data to be moved to its internal storage."

Make Use of Encryption

If any patient information is stored on the device, it must be encrypted, Cruz stresses. "Devices are lost and stolen all the time," he notes.

Choose the Right Device

Security controls vary widely among smart phones, Herzig says. "Understand the device, how it works, and that it can meet all of the HIPAA and HITECH Act security standards," he stresses. "For example, a device that can only handle e-mail should have an encrypted container security setup that can enforce security compliance. Don't try to force a device to provide a service it was not designed to provide."

Be Careful Choosing Apps

"Just because a particular application is available for a device, it doesn't mean it should be downloaded and used," Herzig says. Security staff should verify how the application will work, what integrity controls are in place, how data is transferred and what management capabilities the application supports, he explains.

Keep Track of Your Phone

"Keep your device with you at all times, or secure it in a safe place when you are not working," Cruz stresses. "This is the least technical step but probably the first preventive measure in protecting the device and the data contained on it."

Herzig is the featured speaker in an upcoming webinar on securing mobile devices.


About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.