Tablets. Smartphones. Laptops.
The ubiquitous portable electronic devices in the healthcare workplace, particularly professionals’ unencrypted personal devices, are exacerbating an already growing security risk – data breaches.
Only 44 percent of respondents in a research study said they had encrypted their mobile devices, according to a Department of Health and Human Services (HHS) report. The greatest risks with mobile devices are theft, loss, and downloaded viruses and malware.
Intelligence data for malicious traffic, examined in a February 2014 SANS Health Care Cyberthreat Report, confirmed just how vulnerable the healthcare industry is when it comes to security risks.
“Many of the organizations were compromised and, therefore, out of compliance for months, and some for the duration of the study – meaning they never detected their compromises or outbound malicious communications,” the report says.
Most of the malicious traffic (72 percent) emanated from healthcare providers. One-third of the victims were small providers – either individual practices or small groups with fewer than 10 providers.
Practices found out of compliance with the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA) face civil and, in some cases, criminal penalties. While huge penalties extracted from large healthcare systems are big news, smaller healthcare groups are not immune to receiving fines for noncompliance.
A small dermatology practice in Massachusetts, as an example, paid $150,000 in fines for loss of a thumb drive containing protected health information.
Taking the following actions can help to keep mobile devices secure:
HealthIT.gov provides healthcare professionals with information on how to maintain the security of laptops and other mobile devices. Click here for more information.
Additionally, conducting a security risk assessment is required not only under the HIPAA Security Rule but also as part of the Meaningful Use Program. A risk assessment can uncover potential weaknesses in security policies, processes and systems and enable a practice to address them before a data breach occurs.
To help providers in small-to-medium-sized offices conduct risk assessments of their organizations, HHS has developed a security risk assessment (SRA) tool that is available for both Windows operating systems and iOS iPads. Download the Windows version at www.HealthIT.gov/security-risk-assessment. The iOS iPad version is available from the Apple App Store. Search under “HHS SRA tool.”