Mobile Security: A Practice BriefAHIMA to Pinpoint Best Practices
Healthcare organizations looking for insights on addressing the security issues involved with the rapid shift toward mobile devices soon will have a new resource.
The American Health Information Management Association will release an in-depth practice brief on mobile device security by early April. The peer-reviewed brief, which will be available for free on the AHIMA website, will provide suggested best practices, including prohibiting the storage of protected health information on smart phones, tablets and other mobile devices.
"We need to make sure that everyone is following safe practices when using mobile devices," says Angela Dinh, a manager of professional practice resources at AHIMA, who is coordinating the practice brief project. AHIMA is an association for those working in health information management, including medical records managers.
Meanwhile, the Department of Health and Human Services has launched a concerted effort to identify best security practices for mobile technology and will hold a public roundtable event on the subject this spring (see: Mobile Security Best Practices Sought).
Timely Security Tips
The AHIMA practice brief will provide an overview of regulatory issues and list "core minimum steps" to take before making widespread use of mobile devices, says its author, Terrell Herzig, information security officer at UAB Health in Birmingham, Ala. Herzig wrote a recent blog on mobile device policy and also hosted a webinar on the topic.
Among the best practices advocated in the brief, Herzig says, are:
- Encrypt devices when feasible, even if corporate policy prohibits storage of patient data on the device. "You can train users on what not to store on the device, but some may make a mistake and, for example, transfer a document to the device to take it home, and then lose the device," Herzig notes.
- Whether using a corporate-owned or personally-owned device, staff members should be required to sign a "rules of behavior" agreement. That agreement should cover such topics as appropriate uses of passwords, guidelines regarding avoiding discussing patients via text messages and precautions for using social media, Herzig says. The agreement also should give the organization the right to examine the device at any time to ensure appropriate controls are in place.
- Establish purchasing controls to make sure the organization buys only those devices that meet its security standards.
- Provide training to the entire workforce, including administrative staff, clinicians, contractors, temporary workers and others with access to patient information. "It can't be a one-time training effort; it has to be an ongoing process," Herzig stresses.
Herzig is hopeful that HHS' ongoing best practice initiative will yield specific, detailed guidance. "HHS needs to take an objective look at all security controls and recommend controls that need to be put into place," he says. He says the HIPAA security rule lacks enough detail on how to implement effective controls.