Q&A: Risk analysis and mobile devices

January 19, 2017
Medicare Web

Q. Should we include employees’ personal mobile devices in our risk analysis?

A. If you permit employees to use their personally owned mobile devices for work purposes, even if it’s only to send and receive email, the answer is yes. Personally owned devices used for work purposes represent a significant risk to healthcare organizations. If PHI is stored on an unencrypted mobile device, and it is lost or stolen, that represents a breach of unsecure PHI, which can get very expensive.

It is recommended that you ask the following questions as part of your risk analysis:

  • Is it possible to download or store PHI on personally owned mobile devices?
  • Are personally owned mobile devices encrypted, and can encryption be enforced?
  • Have procedures been implemented and communicated to employees that provide instructions on how to destroy any PHI stored on personally owned mobile devices when they are disposed of or traded in?
  • Has a mobile device management solution been implemented?
  • Can mobile devices be remotely wiped?
  • Has a formal BYOD policy been adopted and distributed to employees?
  • Have employees been required to sign a mobile device use agreement?
  • Have employees been trained on the risks associated with the use of personally owned mobile devices and what they need to do to mitigate those risks?

It is important to also assess the risks associated with portable media. If the use of, say, USB drives is allowed, USB drives should be encrypted and encryption enforced.  Employees should be instructed that USB drives and other portable media represent the same high risk as the use of personally owned mobile devices. Breaches involving lost USB drives have been in the news and can harm your organization and your patients.

If you’ve attested to meaningful use stage 2, you are required to assess the risks associated with data at rest or data that is stored, in this case, on mobile devices and portable media. If the risk is high, which it would be in this case, you need to mitigate the risk. That means protecting against the theft of PHI stored on mobile devices and portable media by using encryption.

Editor's note: This question was answered by Chris Apgar, CISSP, for Briefings on HIPAA. Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are that of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Associate Editor Nicole Votta at nvotta@hcpro.com.

Related Topics: 
Ask the Expert, HIPAA