4 Tips for HIPAA Compliant Mobile Devices

What Does NIST Say About Mobile Device Security?

Although mobile device security is not specifically addressed by HIPAA, the National Institute of Standards and Technology (NIST) has provided mobile guidelines for healthcare security engineers and providers.

NIST’s suggestion for mobile device security include:

• Mobile devices should be individually authorized to add, modify, remove, and access PHI
• Passcode protection should be enabled
• Encrypt mobile devices
• Mobile devices should only access a specific Wi-Fi (WPA2) created for mobile devices
• Each mobile device needs to be registered with the organization
• Enable certificates to help prove the authenticity of users and devices
• Enable security policies for mobile security
• Use role-based access

Tips for HIPAA Compliant Mobile Devices

1. Implement a BYOD (Bring Your Own Device) policy
2. Train employees on mobile device policies
3. Implement advanced security measures
4. Enable advanced password protections and device wiping

Implement a BYOD (Bring Your Own Device) Policy

Although some experts advise against implementing a BYOD policy, as it encourages employees to use personal devices for work. However, it is unrealistic to expect them not to, especially as more workers are opting to work from home permanently. Instead of pretending like employees won’t use their personal devices, you should implement a BYOD policy. This way employees are given guidelines on how to securely access company data, and are aware of the risks of using their personal devices for work purposes. 

For tips on how to implement a BYOD policy, please click here.

Train Employees on Mobile Device Policies

When using any technology or software in a healthcare setting, HIPAA compliance largely comes down to the end user. When a mobile device is used to access PHI, it is important to ensure that the device is used in accordance with your organization’s BYOD policy. This is why employee training is so important. Before allowing an employee to use a mobile device to access or disclose PHI they must be trained.

Your employee training should instruct employees to:

• Install app and OS updates as soon as they become available
• Never connect to unsecured WiFi, as threat actors can access your device this way
• Be diligent when installing new apps, as some are infected with malware
• Never jailbreak their mobile device, as it removes built-in security features
• Not plug their mobile device into unsecure devices, such as their home computer
• Connect to your EHR using a VPN or multifactor authentication

Implement Advanced Security Measures

One of the main reasons that using a mobile device is risky is because they generally lack advanced security measures that are found on computers. HIPAA compliant mobile devices have advanced security measures in place to protect sensitive information. Before accessing PHI with a mobile device, the device must have encryption in place. Encryption masks sensitive data so that it cannot be accessed by unauthorized individuals. This way, should you lose your mobile device, or if it is stolen, your data would remain secure. Additionally, you should install a mobile vulnerability scanning tool. These tools identify your device’s weaknesses, allowing you to mitigate risk by addressing these weaknesses with additional security measures.

Enable Advanced Password Protections and Device Wiping

A standard 4-digit passcode is not enough to keep your mobile device secure. Hackers can use tools to easily identify 4-digit passcodes, leaving your device vulnerable. Both Android and iOS give you the option to implement 8 character alphanumeric passcodes within the device settings. If you are using your mobile device to access PHI, you must enable these complex passcodes. You should also implement device wiping capabilities, which wipe your device after 10 failed passcode attempts.