Do your workers use cell-phones?

There are a couple of steps you need to take to ensure the information on your worker's mobile devices is secure. This is especially important if you need to be HIPAA compliant. 

  • Password protect your device. This is the first layer of protection for any mobile device.  Make sure that all apps (camera, Siri, etc) are disabled whenever you are not logged into your device.
  • Disable Text/Email notifications. You don't want the text of emails or SMS text messages to pop-up on your locked screen.
  • Turn on full disk-encryption. OCR will levy fines based on the assumption that all PHI on your phone is compromised unless the phone is encrypted.
  • Turn off cloud back-up. You cannot use any cloud service to store PHI unless the provider executes a BAA with you.
  • Disable automatically connecting to WiFi hotspots. Setting up a public WiFi network near malls, airports, hotels is a common technique for gathering information. Train your workforce to only use locked WiFi networks they know.
  • Enable Tracking. This lets you recover the phone if it is merely lost and avoid having to report an incident to OCR.
  • Enable Remote Wipe. This will erase all data from your phone if it is lost or stolen. 
  • Configure Secure Messaging. Default programs that come with the phones - Apple Mail, text SMS, iMessage, etc are not HIPAA compliant. Your business needs a suite of secure email and messaging apps.

Medical businesses need to implement operational procedures that ensure that all their worker's devices are HIPAA compliant.

Encrypt your computer

The Office of Civil Rights at the U.S. Department of Health and Human Services demands hefty penalties from companies whenever a stolen laptop compromises PHI because it was unencrypted.  The average fine is over $880,000 per laptop!  You can avoid this penalty by ensuring all employees and contractors activate full disk encryption on their computers.

Mac OS X. Turn on file FileVault. It is available on all editions starting with 10.10 Yosemite.  Beginning with Lion, all Mac OS X machine are encrypted by default.

Windows. Turn on BitLocker. It is available on Windows 10 Pro, Education, and Enterprise; on Windows 8 and 8.1 Pro and Enterprise; on Windows 7 Ultimate and Enterprise; and on Windows Vista Ultimate and Enterprise.

Linux. You can activate full disk encryption on Ubuntu versions 12.10 and later during installation. 

ChromeBook. Encryption is enabled by default, unless you are in Developer Mode. 

iPhone, iPad, or iPod. Turning on the Passcode automatically activates full disk encryption. Make sue you use a 6 digit passcode or longer. Available for iPhone 3GS or later, all iPads, and iPod 3rd Generation or later.

Android. Full disk encryption is available starting with Gingerbread 2.3.X and enabled by default starting with 5.X. Android disk encryption has some known vulnerabilities that iOS does not have.

Windows Mobile. You can easily encrypt Windows 10 phones. Windows phone 8.1 supports disk encryption, but only when it is connected to a device management server.

PHI - Protected Health Information

If you want to secure you PHI, you first got to find it. 

Protected health information (PHI) under US law is any information about health status, provision of health care, or payment for health care that is created or collected by a "Covered Entity" (or a Business Associate of a Covered Entity), and can be linked to a specific individual. Source: https://en.wikipedia.org/wiki/Protected_health_information

Some places you can look:

Calendar. This is how two Phoenix cardiologists earned a $100,000 fine. 

Email.  Do your doctors email each other about patients?  Do they get emails from patients? Now you need to protect the emails stored on your servers and mirrored to the Inbox on every device you own.

Voicemail. Do your patients leave you messages?  You need to make sure your voicemail box is secure.  Similarly, be wary of calls hosted by the cloud.

Text Messages. If your patients send you text messages (which I hope they don't because it is an an open channel!) the text history stored on your phone is now PHI.

Billing. You get paid, right?  Well, the payment records link patients to you. This means your billing information is not just PCI, it is also PHI!

The Cloud. Somewhere out there, over the rainbow, you have a server with patient data.  You need to protect it.  If any of that data is ever unencrypted, or if the decryption keys are stored by the same cloud service as the data, you need to sign a BAA with the cloud service provider.

The Guy With Three Computer Screens on His Desk. Otherwise known as the developer, QA tester, database manager, or system administrator.  He has access to the PHI (which he innocuously calls "production data") because he codes/tests/administers the system where it is stored. But testing might require obtaining  a local copy...and you see where this is going. If you outsource any of your dev/qa/sys admin functions to outside contractors you need a rock-solid BAA.

The Ridiculously Expensive Printer. The bigger and more expensive, the more likely it stored electronic copies of all PHI you sent it to print. Affinity Health paid a $1.2 million penalty for data discovered on the hard drive of its copy machines.

Laptops, cell-phones, and computers. If your company handles PHI, just assume that all devices that ever connect to your system MAY have PHI on it.  (even if they're not supposed to). Concerta Health Services paid a $2 million dollar penalty due to a stolen laptop.

Browser Cache. You thought you placed your PHI safely in the cloud. But there it is, on every laptop, cell-phone, and workstation that ever connects to your web-portal (see above).

USB drives. Those little devices you use to transfer data between computers when you don't have a secure file transfer service available.  

The Recycling Bin. Because that's where you put your PHI after you shredded it.

All of the above examples constitute "data-at-rest." Your job is to encrypt it, create a back-up, and encrypt the back-up. Then add some audit and access control. If a separate organization has access to the data, you need to sign a BAA to ensure that they do the same.