The Privacy & Security Mobile Device Project

Recently, ONC’s Office of the Chief Privacy Officer (OCPO), in collaboration with the HHS Office for Civil Rights (OCR), launched a Privacy & Security Mobile Device project.

The project goal is to better secure and protect health information on mobile devices (e.g., laptops, tablets, and smartphones). Building on the existing HHS HIPAA Security Rule - Remote Use Guidance, the project is designed to identify privacy and security best practices for devices that are are used outside healthcare facilities or not directly under IT department control.

The HHS Remote Use Guidance may not be familiar to clinicians and IT professionals.   It was issued on 12/28/2006 and includes specific recommendations for the use of Electronic Protected Health Information (EPHI) on mobile devices, specifically (1) the use of portable media/devices (such as USB flash drives) that store EPHI and (2) offsite access or transport of EPHI via laptops, smart phones, home computers or other non corporate equipment.

The report groups its recommendations into three areas: access, storage and transmission.

Access

Username/password protection -  to reduce the risk of keystroke loggers or stolen passwords, it recommends two factor authentication - something that you know and something that you have.

Remote access - to minimize the risk of privacy breaches, it recommends role-based access control for remote data access in combination with policies which delineate who is authorized use remote access methods.

Unattended devices - to minimize the risk of privacy breaches by those who may find a lost or unattended device, it recommends timeouts on any software used to access EPHI

Malware -  to minimize the damage done by the increasing flood of malware on the internet, it recommends personal firewalls and appropriate use of up to date anti-virus tools

Storage

Theft risk mitigation - to reduce the risk of breach when a device is lost or stolen, it recommends encryption, biometric authentication methods, and strong mobile device storage policies

Lifecycle management - to reduce the risk of data loss when a mobile device is retired it recommends  deletion/physical destruction of devices

Data cached on non-owned device - to minimize the risk that data will be left on public computers used to access EPHI remotely, it recommends training, prohibition on downloading  files containing EPHI, and application software configurations that eliminate browser caching

Transmission 

Off network transmission - to minimize the risk of interception, it recommends that all data transmissions require SSL, TLS, or VPN in addition to policies requiring encryption of all data in motion between organizations.

These are guidelines, not regulations, but you can bet the next time CMS/OCR investigates a breach, they will ask if you have followed the published recommendations for  access, storage and transmission.  Thus, I highly recommend you read the HHS guidance and incorporate their suggestions into your overall security program.