Fortunately, the government has provided some guidance. Perhaps not as fortunately, to ensure compliance it is conducting surprise audits to ensure this guidance is enforced. Concerned by recent high profile security breaches involving ePHI (Electronic Protected Health Information), the Department of Health and Human Services' Office of Inspector General (OIG) is ratcheting up its audits of health care entities for compliance with HIPAA Security Rule 1. The Centers for Medicare and Medicaid Services (CMS), which oversees Security Rule enforcement, has published a document entitled "HIPAA Security Guidance for Remote Use of and Access to Electronic Protected Health Information” to help health care providers determine the best way to support ePHI for mobile health care users.
With this new guidance in hand, health care IT organizations can use the following simple steps to prepare their users and IT infrastructure.
Step 1: Assess your mobile users. Understanding your users and their use cases is the first step toward HIPAA compliance. Within the health care industry, mobile devices are becoming increasingly common as the industry rapidly converts from paper to electronic media. Because of this, health care IT must now support a wide variety of ePHI, including electronic patient records, hospital email, homecare health care records and clinical drug trial results. This mission is complicated by device ownership. In typical medical school scenarios, IT supports doctors, medical students and professors using personal devices to access sensitive information. Now, in some cases—such as for homecare nurses or drug trial patients—IT also issues user devices. Documenting the flow of health care information to and from this mix of users and their mobile devices is the upfront work that has to be completed before IT can develop a comprehensive security strategy for remote access of ePHI.
Step 2: Bulletproof your security strategy. Privacyrights.org reported that in 2007 46 health care data breaches occurred, involving 62 stolen or lost laptops with five million identities compromised. The publicity surrounding these breaches has motivated many IT organizations to develop a strategy to secure their laptops with data encryption and password protection. Unfortunately, the same cannot be said for handheld devices.
What these IT organizations may have missed is that rapidly evolving smartphones and PDAs are quickly becoming the everyday PC, with multiple modes of communication, significant processing power and large storage capabilities. This by itself makes today's mobile devices subject to the same risks as enterprise laptops. However, handheld mobile devices have several characteristics that make them even more vulnerable than laptops. Their small size makes them substantially more likely to be lost or stolen, and their low cost enables users to easily replace them if lost. Unlike IT-issued laptops, users do not have a compelling reason to report a data breach if they can easily replace the device for a low cost.
Because of these characteristics, health care organizations must consider not only the unique risks inherent to the handheld class of devices, but also apply best practice security methods for laptops, when crafting an approach to HIPAA compliance. The HIPAA security guidance from CMS (shown in Figure 1) provides an excellent sanity check to ensure that health care IT protects sensitive health care information on all mobile devices.
Step 3: Build your security solution. Unfortunately, the CMS guidance creates multiple technical challenges for IT departments including endpoint security, network access control and user compliance. So what should IT look for in a solution? Laptop support is a must, but ultimately full HIPAA compliance also requires robust support across a diverse set of handheld mobile devices, use cases and ownership scenarios. The ideal system must include:
- A self-service portal to allow end-users to load security software and policies on personal devices.
- A flexible device agent that enables IT to secure and manage a wide variety of device platforms including Windows Mobile, Palm and iPhone.
- Policy-controlled security that protects against hacker access and device loss.
- A centralized management console with integrated help desk capabilities to simplify policy implementation and user support.
- A compliance management and reporting facility to ensure users adhere to IT policy
Step 4: Enforce your policies. An organization's HIPAA security policies are only effective if users comply with them — so make sure that your mobile device security solution is automatic and persistent. But how? Data encryption should not require special behavior by the user such as placing sensitive data in special folders. On-the-fly encryption should be automatic, happening in real-time as users read or store data on the device. Once the device is fully encrypted, which ideally should happen automatically as part of the software provisioning process, the security software only encrypts or decrypts information when the user accesses it or when new data is added. This approach has benefits that are threefold: first it makes your security transparent to the user; second, data on the device is protected without encumbering the users; and third, is battery life is preserved since encryption happens in real-time.
The other area of concern is continued policy enforcement, since many users of smartphones are technically savvy enough to skirt around IT policies by hard-resetting a device and removing the security software. And the low cost of smartphones also makes it easy for users to replace a “standard issued” or lost smartphone with a new device and merely self configure it to sync with IT servers. As a result, a breach can become a non-event for the end-user responsible for safeguarding the actual device, all the while robbing IT of the opportunity to mitigate the event by remotely wiping the device.
By choosing a solution with compliance management facilities, IT remains in control by using smartphone-aware network access control (NAC) capabilities to eliminate these potential security holes. These intelligent filters, deployed on network routers or on the application front-end, compel users to follow IT policies by making access to email and other IT applications contingent upon use. Simply put, if a user's smartphone has not been secured according to IT's specification, the user cannot sync email. With this framework in place, IT can be assured that sensitive data is only transmitted to devices that have been secured per the HIPAA security guidelines for remote access of ePHI.
Step 5: Go public. Surprise audits by put IT teams on the spot to provide auditors with a long list of information that must be generated in a short period of time. A solution including security management and reporting facilities not only ensures that user compliance is 100 percent, but it also provides audit evidence with the click of a mouse. So why endure the angst of a surprise audit? Be proactive and follow the steps outlined here for full HIPAA compliance across all of your organization's laptops, smartphones and PDAs. When completed, get your marketing and public relations teams to tell the world. Unlike reporting a breach, it will put a positive spotlight on your organization and reassure your patients their personal information is protected. Plus, publically highlighting your efforts may inspire auditors to skip your organization and knock on the doors of others for that surprise audit.
As vice president of marketing at Trust Digital, Dan Dearing is responsible for product marketing, product management and marketing communications. He can be contacted at [email protected].