Many practices may focus on infrastructure when preparing their information security policies for Health Insurance Portability and Accountability Act (HIPAA) audits, but a new study has shown that the majority of data breaches are the result of theft. This finding highlights the importance of securing mobile devices with protected health information (PHI) and educating staff on proper protocol when using cell phones and tablets.
New statistics on data loss
Research from Bitglass, a information security provider, showed that the majority of PHI data breaches are not caused by outsiders hacking electronic health records. The company analyzed data from the U.S. Department of Health and Human Services' "Wall of Shame," which displays reports on data breaches and HIPAA violations over the past three years.
The study showed that 68 percent of security breaches were due to the loss or theft of mobile devices or files. Further, 48 percent of data lost was on a laptop, desktop computer or mobile device. Only 23 percent of the breaches on the HHS "Wall of Shame" were a result of hacking. These statistics show that practices need to make the security of PHI on mobile devices a greater priority to avoid data breaches and HIPAA violations.
Protecting mobile information
Healthcare organizations that are taking steps to secure their mobile devices should adhere to a number of security standards. According to the American Bar Association, phones, laptops and tablets should require authentication to be accessed, including complex passwords or biometric measures. Another important aspect of mobile device protection is the encryption of PHI files. Any email or text messages should also be encrypted to ensure they meet HIPAA privacy standards. Some other necessary safeguards include installing firewalls, software to stop viruses and malware and programs to remotely wipe PHI in case of theft.
It is also important that practices brief staff members about proper protocol when handling PHI on a mobile device. Tablets and laptops should never be left in a staff member's car or unattended in public. Personal data, like patient names and contact information, should only be transmitted via encrypted methods. If employees are vigilant about keeping the practice's devices secure, there is a lesser chance of theft or loss.
Practices that do not take these security measures could be subject to a HIPAA violation and face penalties of up to $50,000. If the provider is found to have an identical provision within a year of the initial violation, they can be charged up to $1.5 million by the HHS.