Week 2 of National Cybersecurity Awareness Month
By Gil Vidals, , HIPAA Blog

No doubt, 2020 has disturbed the status quo in numerous ways, impacting our work, schooling, and social gatherings – even the way we receive our healthcare. 

And while the pandemic has hastened a transition to increased virtualized care and telehealth, a recent analysis notes how this change was already well underway, even before Covid-19 was a reality:  

With smartphones and mobile devices, medical wisdom and even physicians are just a couple screen taps away. Besides apps, telemedicine is already a well-established practice. In 2014, about 15 million people in the United States received care via the Internet. By 2020, the global telemedicine market is expected to be worth more than $34 billion.

Patients enjoy the convenience of telemedicine. Providers experience greater productivity by being able to see more people. And insurers love the cost savings. In fact, insurers and employers are increasingly willing to pay for telemedicine.

Despite this, an alarming statistic should give us pause: as a recent mobile security Index points out, 38% of healthcare organizations now experience breaches due to unprotected mobile devices. Children’s Medical Center of Dallas was one such casualty: they received a $3.2 million fine from the OCR for HIPAA noncompliance and disclosure of unsecured protected health information (PHI), in part due to an unencrypted BlackBerry.

In light of this, there’s no better time for providers and patients to heed the National Cybersecurity Awareness Month (NCSAM) call to “Be cyber smart” – not only with our smartphones but all our internet-connected devices. 

Following our Week #1 focus on adopting good cyber hygiene, NCSAM’s second week highlights the importance of securing our personal devices in light of our increasing online presence and reliance on mobile phones. With this in mind, we offer the following:

7 Tips for Staying HIPAA Compliant with Mobile Devices:

1. Don’t ignore your OS & app updates  

Many healthcare organizations fail to implement an appropriate device policy, even for those that permit or encourage BYOD. Part of an effective policy will include keeping device operating systems and (all) apps up-to-date, in order to gain the latest security protections. Using only trusted apps is also critical, as weaknesses in one app can allow others to be negatively impacted. Delaying these updates only increases the window of vulnerability, so it is important to install them as soon as they become available. 

2. Use strong password protections

According to a recent study, over half of all smartphone users surveyed skip password protections, making their device immediately accessible and vulnerable to malicious intent. To be sure, a strong password (or pin) isn’t the only protection you should have, but like a strong lock installed on your front door, it does provide an important layer of security to protect you from the bad guys seeking access.   

3. Implement mobile encryption

Because of their small size, mobile devices are more likely to be misplaced than most computers and are also more easily concealed and stolen. These are just 2 important reasons to utilize mobile encryption; that way if your device does fall into the wrong hands, healthcare data will be rendered unreadable and privacy will be maintained. Newer smartphones are now including encryption by default, but older ones can also be enabled through phone settings or apps.  

4. Establish appropriate permissions

Mobile devices that allow for PHI to be accessed, added, modified, or removed, should be specifically authorized using role-based permissions. If an employee’s job functions do not include the need to handle PHI, access should not be given. Regular training on device security should be included, especially for those who have permissions.

5. Use two-factor authentication

Adding multi-factor authentication for your sign-on is an excellent way to avoid a single point of failure should your password ever fall into the wrong hands. If this does happen, cybercriminals will still need a secondary passcode to get to your data.

6. Avoid unsecured WI-FI Networks (use WPA2) 

Using an unsecured network unsecured where protected health information is involved is simply not HIPAA compliant. WPA2 is a secured network that uses AES encryption and long passwords, and is preferred. 

7. Don’t click links in email promos! 

Phishing links in emails are increasingly well-disguised as tempting offers from trusted sources, but should be avoided at all costs. Cybercriminals use these links to great advantage (on average, every 11 seconds as we saw in week #1), installing malware (including ransomware) on devices as a way to breach sensitive data and hold it for ransom.


When an organization begins the journey of becoming HIPAA compliant, a risk assessment of all devices that will handle PHI is indispensable. It is essential that mobile devices are included – just like all computers – with ongoing assessments of their security status (updates, etc.) reviewed regularly. This is one more piece in an effective HIPAA compliance program, and a way to help ensure that cybersecurity becomes an essential part of patient care. 

Questions about HIPAA compliance? Talk to a proven healthcare cloud solutions provider today, at 760-290-3460, or look us up at www.hipaavault.com

HIPAA Vault is the leading provider of HIPAA compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. Customers trust HIPAA Vault to mitigate risk, actively monitor and protect their infrastructure, and ensure that systems stay online at all times. In addition to providing secure infrastructure and compliance for health companies, HIPAA Vault provides a full array of HIPAA compliant cloud solutions, including secure email, HIPAA compliant WordPress, secure file sharing, and more.