Practice Management Alert

Keep rules simple and straightforward, but enforce them consistently.

Many providers are more reliant on mobile devices now than ever before, due to both the ongoing pandemic and the easing of rules under the Medicare telehealth expansion.

However, criminals are looking for ways to infiltrate devices, seeking unauthorized access. While there are some best practices everyone on your team should adopt for mobile devices, including privacy controls, screen shields, and using only secure WiFi connections, look to HIPAA-friendly policies as further means of safeguarding data and decreasing the chance of a breach.

Keep these five tips handy to boost security on your mobile devices and ensure protection of your patients’ electronic protected health information (ePHI).

1. Know Who’s Using What, When

Your first step should be to outline what mobile devices will be used in your practice — and who will have control of them. Plus, if more than one person will be using a device (such as an office tablet to check in patients), ensure that all users have their own logins and passwords. This lets IT management review logs for outlier activity.

Tip: If staff use their own devices for work, office management needs to set bring your own device (BYOD) parameters from the get-go. This may encompass “centralized security management,” including “configuration requirements” and user classes specific to the devices, suggests HHS Office of the National Coordinator for Health Information Technology (ONC).

2. Use Strong Passwords

Using a password or other user authentication on mobile devices is always a good idea. “In my experience, the best passwords come from a password manager. They can be long, complex, and unique without taxing your ability to remember all the passwords to all your accounts,” says Jen Stone, MSCIS, CISSP, QSA, a security analyst with Security Metrics in Orem, Utah.

3. Take Advantage of Multifactor Authentication

When you add multifactor authentication to your password protocols, you add another layer of protection. That’s because the “other authenticator is the private information or proof that only you can provide that serves the purpose of proving you are who you say you are,” explains Adam Kehler, CISSP, principal consultant and healthcare practice lead with Online Business Systems.

4. Utilize Encryption for Devices

When you encrypt ePHI, you’re not only protecting patients’ data, but all the information stored and transmitted on the mobile devices. “Encryption is not expensive, but it can require some expertise to properly apply it,” Stone says. “Implement access control so that only authorized individuals can get to ePHI.”

5. Make Investments in Security Software and Safe Apps

• The type of IT products your organization needs will depend on its size, complexity, and infrastructure. Software you may want to consider includes:
• Firewalls to block unauthorized access;
• Remote wipe or disabling to erase data if the device is lost or stolen; and

Security software to circumvent malware, spyware, and other malicious programs. And it’s essential you hire and work closely with IT experts to ensure you install, enable, and update your products.

“While a small office can get by with just a policy that says what a user should do, a larger organization will need to establish a mobile device management solution that allows the devices to be managed by IT, not the user,” cautions HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vermont.