$4.3M HIPAA fine a stark reminder to secure mobile devices
HIPAA compliance is back in the headlines, and in a big way.
Last month, The University of Texas MD Anderson Cancer Center filed an appeal claiming the $4.3 million HIPAA fine imposed on the hospital by HHS was unlawful. The fine was in response to three data breaches involving the theft of an unencrypted laptop and the loss of two unencrypted flash drives.
MD Anderson argues that because it is a state agency and because HHS is a federal agency, that HHS does not have the authority to impose civil monetary penalties against the hospital. MD Anderson is also arguing that HHS exceeded its civil penalty authority beyond the statutory caps and imposed an excessive penalty, according to the report.
While it’s too soon to know whether the fine imposed is lawful, this case is a stark reminder of the importance of keeping protected health information (PHI) secure. It also brings a long-time issue, unencrypted devices, back into the spotlight.
Laptops and thumb drives were commonly used by healthcare professionals as a quick, easy and highly portable way to store and share information. Despite attempts to secure these devices, there has been no shortage of stories involving lost or stolen devices over the years. With smartphones now commonly used in hospitals and health systems throughout the country, the industry is forced to deal with yet another compliance pain point.
Smartphones and tablets have quickly become a lifeline for many in the healthcare industry for their ability to provide instant, anytime and anywhere access to information. A report by Kantar Media cites 84 percent of doctors use smartphones on the job. These devices provide a way to stay connected when outside of a hospital environment or within different hospital settings (for example, pre-op, recovery, intensive care and other departments) where access to a traditional computer is not possible.
iPhones and Android devices are regularly used by surgeons, anesthesiologists and medical reps to check schedules, look up or share lab results and X-rays and to get content critical for a surgical procedure. In the course of accessing and sharing information over text or email, there’s often little thought given to the fact that this information frequently includes PHI. As a result, mobile devices are creating significant security and compliance challenges for healthcare organizations.
Turning a blind eye to smartphone use will not keep PHI safe. Hospitals and health systems must be proactive in addressing mobile devices; otherwise, they put themselves at risk for extensive fines and reputational damage resulting from non-compliance.
Taking what’s been learned from laptop and thumb drives breaches and building upon this knowledge to address the unique security and compliance threats associated with mobile devices is key.
To help healthcare organizations get ahead of compliance risks associated with PHI being shared via mobile device, the following serves as a great starting point.
Education is key. According to the 2018 Cost of Data Breach study conducted by Ponemon Institute, 25 percent of data breaches in the U.S. are caused by human error (as was the case with MD Anderson). Mobile devices are left out in the open where they are easily stolen or forgotten. These same devices are discarded without being properly wiped clean of stored data.
Surgeons, anesthesiologists, medical reps and other healthcare professionals upload and share case information via text or email with little thought to compliance. Simply putting policies and procedures in place to ensure compliance is not enough.
Educating healthcare employees on the impact their actions have on compliance and PHI security is essential to keeping data safe. Annual awareness training followed by light-touch reminders on a periodic basis throughout the year (email notes, short videos, etc.) are key to educating employees and keeping data security top of mind.
Understand technology limitations. Encryption technology is extremely valuable because it makes the data on a device unreadable if it is lost, stolen or hacked. However, in the case of smartphones, encryption technology alone is not enough. When information is shared via text or email, encryption technology typically only works if both the sender and receiver use it.
App vendors are able to address these shortcomings by leveraging the cloud, which enables new solutions to be brought to the market very quickly. For example, cloud-based surgery coordination apps are replacing unsecure communication methods like text and email, which are frequently used to coordinate cases and share images and PHI.
Cloud-based surgery coordination applications provide a HIPAA-compliant workaround to encryption limitations by offering a secure way for physicians and other mobile healthcare professionals to upload, access and share real-time information with everyone involved in a case from their iPhone, Android or tablet without jeopardizing data integrity.
Smartphones and tablets have changed the way people work and live by providing instant, anytime, anywhere access to information. These devices have become a lifeline for surgeons for case-related communication. Schedules change. Case documents are added and updated. Medical devices are substituted. Accessing and communicating changes regardless of location keeps cases on track.
Banning smartphones is not a realistic approach. Rather, understanding their short-comings and putting processes and technology in place to safeguard the data being shared, along with ongoing education, will greatly minimize the chance of non-compliance.