Back in 2014, Catholic Health Care Services (CHCS) of the Archdiocese of Philadelphia was serving as an active business associate to six skilled nursing facilities, providing information technology services.
Unfortunately, one of their iPhones containing the unencrypted, protected health information of 412 nursing home patients – including their social security numbers, diagnosis and treatment information, and the names of family members and legal guardians – was stolen.
The resulting breach led to a $650,000 HIPAA fine.
At present, 90 percent of healthcare organizations use or plan to use mobile devices
The incident with CHCS should raise our security caution level, for the following reasons:
- mobile device use has been increasing in healthcare, allowing greater access to PHI – a generally positive trend for patient care
- password protections are frequently not used on mobile phones – which was also the case with CHCS
- perhaps of all devices, smartphones tend to be misplaced, lost, and stolen more easily – making protections all the more necessary
- physicians as well as business associates often forget about encrypting their emails
As OCR Director Jocelyn Samuels noted after the CHCS breach:
“…business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities. This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.” (emphasis added).
Securing Mobile Devices
Ultimately, the responsibility for mobile device management falls to the covered entities and their business associates. According to OCR’s investigation, CHCS had no policy in place addressing the removal of mobile devices containing PHI from its facility, nor what to do in the event of a security incident – both which likely would have been addressed in a risk management assessment.
A number of companies, including Google, are now offering mobile device management and encryption to keep ePHI secure. In addition, the National Institute of Standards and Technology (NIST) has issued mobile guidelines for healthcare security engineers and providers.
In general, the NIST standards advise the following:
- All mobile devices should be registered with the organization, and individually authorized to add, modify, remove, and access PHI
- Passcode protection should be enabled, and mobile devices encrypted
- Enable security policies for mobile security, and certificates to prove the authenticity of users and devices
- Devices should only access a specific Wi-Fi (WPA2) created for mobile devices
So how did things work out for CHCS? In addition to meeting the fine, CHCS agreed to a corrective action plan. In assessing the fine, OCR also took into account the critical services provided to Philadelphia’s elderly, developmentally disabled, foster care system, and HIV/AIDS patients, the director noted.
About HIPAA Vault:
HIPAA Vault is a leading provider of HIPAA compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. Advanced security measures are needed to ensure HIPAA compliance, and customers trust HIPAA Vault to mitigate risk, actively monitor and protect their infrastructure and ensure that systems stay online at all times. www.hipaavault.com