The Office for Civil Rights and the Office of the National Coordinator have both recently provided guidelines and tips which healthcare professionals can use to ensure that their devices are made secure and ePHI is properly safe.
The advice has been issued on HealthIT.Gov, which lists a number of steps that can be taken to ensure that ePHI is not disclosed by mistake and security holes are effectively closed. A series of simple measures have been supplied, and while there are multiple security measures to take, these security procedures are not being implemented by many healthcare organizations. The procedures and practices include the following data security practices:
- Make sure all mobile devices have a secure password – PIN numbers and passwords must be employed to prevent access to mobile devices and passwords must be hidden while they are typed to prevent unauthorized peeple from viewing the passcodes.
- Data encryption software implementation on all databases storing ePHI and employee data.
Install software that allows a device to be remotely accessed so that data can be erased should the device be lost or stolen. As a minimum safety measure mobiles and laptop devices must have the facility to be remotely disabled in case of loss or theft.
- File sharing should be disabled – File sharing is a feature of modern operating systems which enable users to easily share data; yet this feature can be a major security hole that leaves laptops and mobile devices easily accessible to cybercriminals. Data can be obtained and copied without the knowledge of the user if file sharing is switched on.
- Installation of Firewalls must be on all servers and mobile devices. The firewall must remain constantly active.
- Installation of anti-virus and anti-malware software to prevent viruses and other harmful software from making security holes. The software licenses must be maintained, updates to virus definitions should be set to automatic and regular scans should be carried out on all devices.
- Test mobile applications before installation – When installing mobile phone apps, access must be granted to allow the app to obtain certain information. It is essential that all security and privacy information is tested before an app is installed to ensure it is not unknowingly given access to ePHI held on the device.
- Ensure that all devices are physically secure where they are located– Because small electronic decides can simply be lost or stolen, all staff must take care to make sure that their devices are not left unattended.
- Secure all technological devices using public Wi-Fi – Wi-Fi must only be used to connect to the internet should that connection be encrypted. Public Wi-Fi can easily allow hackers and the owners of the routers to access protected data on devices connected via their networks.
- Text messages should use encryption software – Text messages can be easily tracked and may remain on remote servers for a considerable duration of time, exposing data to any person with access to the servers. Encryption software for mobile devices is vital.
- Securely erase all data that is not needed – Even deleted files can be restored so it is essential that all data is securely erased before a device is decommissioned, destroyed, disposed, sold on or returned to a leasing agency.
Following all of these standard security procedures will help to ensure mobile devices are made HIPAA compliant and the ePHI of patients is properly secured.