HIPAA Risk Assessment: Don’t Skip Mobile
Think You Don’t Have a Mobile Provider? Think Again.
Your hospital system or eligible provider’s office doesn’t supply mobile devices to its staff or pay for technology solutions like standard mobile data and SMS texting services. So, you don’t have to worry about mobile when creating your HIPAA Risk Assessment, right? You couldn’t be more wrong.
Just because you are not providing your staff and physicians with mobile applications doesn’t mean they aren’t using them to transmit and store PHI. And the fact that these systems are NOT directly under your Health IT staff’s control makes them MORE of a risk for a breach – and more necessary to include in your Risk Assessment.
Who is Your Mobile Vendor?
If your hospital hasn’t implemented a specific secure texting platform, this can be a tough question. You pretty much need to assume that every possible device and every possible system are in use. So is your vendor the company transmitting the data and providing SMS texting services (e.g., Sprint, AT&T, Verizon, Apple, and Google)? What about the cloud back-up services used? Are they vendors too? It’s “fuzzy,” even for security professionals.
To take this route, you’d need to complete a Mobile Messaging Vendor Assessment for each of these “fuzzy vendors.” How is data transmitted and stored (including how long it is stored)? What level of risk does each provide? How do you plan to address that risk? That level of documentation is a monumental undertaking, even for the largest health IT teams – much less for smaller providers.
Then there’s the required BAA. Good luck getting general-use technology vendors to sign a HIPAA compliant business associate agreement. It isn’t their primary business and they can’t adjust their entire suite of services (and security) to meet the needs of a healthcare client. This is as true for texting as it has been for email.
Can You Just Outlaw Texting?
If assessing the risk of general-use texting vendors is not realistic, why not just prohibit people from texting PHI from their iPhone, Android, and other mobile devices? It sounds simple enough –write a policy that prohibits staff and physicians from using their texting software for patient-related communications. But people are texting. They use it in their daily lives. It’s often easier to reach a rounding physician by text than by phone and there’s even a perception by some that it’s more private than a phone call, which can be easily overheard in most care settings.
You need to write the policy against using unsecured texting services regardless – as part of your Risk Assessment. But a policy alone is not likely to mitigate your risk significantly.
Is There a Risk, Really?
Mobile devices are by their nature a bigger risk than desktops or laptop computers. They are lost more easily, they usually have less security, and the bulk of data is stored in the cloud – sometimes indefinitely. The risk of one person losing one device is large enough – but news of entire accounts being hacked and mined for data is becoming more common as well. And because these are usually personally owned and maintained devices, you don’t have control over security features and access.
What Should I Know About Secure Texting?
Secure texting is a much more simple and scalable solution to mobile health privacy issues. But not all secure texting providers are created equal. Here are some things you should be looking for:
Encrypt the message, not just the data transmission Public/private key encryption ensures that only the intended recipient can decrypt the text message. Even the secure texting vendor can’t decrypt or gain access to the PHI, making it much more secure than standard encryption.
Cloud “pass through” This means that the messages and PHI data pass through the cloud servers but are not stored or decrypted on the server – making it much less vulnerable to a data breach from human error.
Message archive in your control Ideally, the message and PHI archive should be stored on your system inside your firewall just like PHI from your EMR and billing systems.
Searchable message archives and user logs These will make it easier for system administrators to pull needed documentation for audit or e-discovery purposes.
User Authentication Be sure it can enforce a strong password and avoid a weak link in security. Even better if it supports Active Directory integration.
Customizable Security System administrators should be able to control things like:
- Password length and complexity
- Inactivity timeout period
- Message retention period on users’ devices
- Remote lock and data wipe
- Password failure lock out
“Bring your own device” capability To ensure widespread adoption and utilization, the solution should be available on iOS and Android devices.
BAA readiness Willing and able to execute a HIPAA-compliant business associate agreement.
Integration with EMR system You may not want to integrate now, but this will give you room to scale later – without having to get your staff and physicians used to a whole new program.
Adoption support and training Your secure texting vendor should do more than just offer the technology. They should support you in your efforts to encourage use and adoption across your organization. Ask about training materials, webinars and ongoing communication efforts to encourage best practices and increase adoption rates.
The cost of a failed HIPAA Audit (or worse, a breach) can be devastating both for your organization and your professional reputation. Texting from an iPhone, Android or mobile phone is an area you can’t afford to ignore or assume doesn’t apply to your organization.