Mobile Devices And e-PHI: A Dangerous Combination?

By Gene Fry, Scrypt, Inc.

Increasing numbers of healthcare professionals are using cellphones at work, as the benefits of being able to communicate with colleagues, gain access to information, and share data more freely become more widely recognized throughout the industry. One report suggests as many of 90 percent of clinicians, and around half of nurses and other staff members now use a smartphone at work, which isn't hugely surprising given 95 percent of Americans now own a cellphone of some kind.

This increased adoption of smartphones in healthcare is being facilitated, in part, by more organizations opening up to BYOD (bring your own device) - a practice that is growing in acceptance, not just in healthcare, but across a wide range of industries. However, healthcare is not like most other industries, due to the extremely sensitive nature of the data organizations hold and their requirements to keep that data protected in accordance with The Health Insurance Portability and Accountability Act of 1996 (HIPAA). A failure to do so can be catastrophic for all affected parties, as many providers have learnt the hard way.

Only this year, The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), the agency responsible for enforcing the HIPAA Privacy and Security rules, announced it had fined a Dallas based children’s pediatric hospital $3.2 million for multiple breaches of ePHI (electronic protected health information), involving the loss of an unencrypted, non-password protected BlackBerry device that was misplaced in 2009. The device contained the ePHI of approximately 3,800 individuals. Further investigations revealed the hospital’s noncompliance with a number of HIPAA requirements, including a failure to implement risk management plans and a failure to deploy encryption on mobile devices, as well as other portable media units and laptops. This case should serve as a stark reminder to all HIPAA covered entities of how severe a healthcare data breach can be. Even one lost device can cause major issues if it doesn't have adequate safeguards in place.

Loss and theft only represent a part of the problem when it comes to keeping ePHI protected on mobile devices. Arguably, the bigger issue in healthcare is the manner in which sensitive data is shared and stored; one in five healthcare professionals confess to having sent or received PHI via a non-secure text messaging application, which is a bad idea for a number of reasons: firstly, text messages sent via most standard messaging applications are unencrypted so they can easily be intercepted during transit; secondly, since text messages are typically stored on a device’s hard disk drive (HDD), they can easily be read by anyone who gains access to the device, and finally; a lack of access controls and delivery receipts makes it impossible to know if and when a message reaches the intended recipient.

Email can be just as risky for the same reasons, which is why organizations must assess the risks carefully and implement reasonable safeguards before taking ePHI anywhere near their smartphone’s native email application. While the HIPAA Privacy Rule does not strictly prohibit the use of unencrypted email for treatment-related communications, organizations must take every precaution to protect patient privacy, and ensure that any transmission of ePHI is in compliance with the HIPAA Security Rule.

When it comes to text messaging, organizations should address activity under the HIPAA Security Rule, as part of an ongoing risk analysis and management strategy. As part of this, a healthcare provider should establish where ePHI is created, received, maintained, and transmitted, and identify and record any anticipated threats, and the likelihood of these threats becoming reality; the loss of theft of a device, or the availability of ePHI to persons other than the mobile device owner, for example.

In addition, organizations must ensure they are educating employees about the less obvious risks that come with using internet connected devices outside of work, such as inadvertently downloading malicious applications, visiting websites which may contain malware, or joining non-secure public Wi-Fi networks. All of these actions carry significant risks and provide a potential point of entry for opportunistic cybercriminals.

Privacy Before Convenience

The rules of HIPAA are clear and well documented, but statistics suggest the healthcare industry still has a long way to go in its collective quest for compliance. The Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, published 2016, revealed the majority of healthcare organizations have experienced multiple data breaches, and that most lack the necessary resources to manage the threats effectively. The study also revealed that healthcare organizations are significantly concerned about mobile device insecurity, BYOD, and the security of mobile apps.

Despite the risks and concerns that come with using cellphones to store and exchange ePHI, there are significant benefits when used in a controlled environment, supported by the right tools. Secure mobile messaging, for example, provides a safe alternative to text messaging and email, and has been proven to reduce administrative burdens as well as improving health outcomes. In a study of some 11,500 patients at two Pennsylvania hospitals, it was found that patients whose care coordination was handled with secure mobile messaging had a 14 percent reduction in length of stay compared to those whose care coordination was managed with pagers.

BYOD in healthcare is still very much a work in progress, and cellphones in particular present a unique set of risks for healthcare organizations. In order to succeed in this area, employers and employees must share responsibility and work together to ensure that the convenience of mobile communication does not come at the expense of patient privacy.

About The Author

Gene Fry has been the compliance officer and vice president of technology at Scrypt, Inc. since 2001 and has 25 years of IT experience working in industries such as healthcare and for companies in the U.S. and abroad. He is a Certified HIPAA Professional (CHP) through the Management and Strategy Institute, a Certified Cyber Security Architect through ecFirst and certified in HIPAA privacy and security through the American Health Information Management Association. Most recently achieved the HITRUST CSF Practitioner certification from the HITRUST ALLIANCE. Gene can be contacted through https://www.docbookmd.com/. DocbookMD is built by Scrypt, Inc.