According to American Medical News in the February 22 edition of their newspaper, one-third of health professionals store patient data on laptops, smartphones and USB memory sticks and only 39% of health care organizations encrypt data on mobile devices.
Mobile email represents yet another security headache for administrators with encrypted attachments crossing the firewall, making inspection difficult or impossible. Once the data is on the mobile device it can be easily compromised through loss or theft. Since mobile email devices are being adopted by almost every healthcare organization, the lost data is likely to be very sensitive, raising major questions of compliance and protection of intellectual property.
The simplest security approach is password protection on the device. This is fine, but it should be realized that if the data files are not stored in an encrypted form, then it is possible to physically target the flash memory. Even where encryption is built in, this does not overcome the problems of password management.
When the inevitable happens and a device is lost, central synchronisation does at least make the issue of a replacement unit straightforward. A new device can be synched to the last good state of the lost one and sent overnight to the user, with the password naturally provided by an alternative means, such as a phone call, bringing the user back on line with all of their preferences intact as well as their mailbox and PIM.
More importantly, users of corporate mobile devices need to be educated on the responsibility and security of the devices provided by the organization and the organization’s policy on using the devices. Security awareness of the risks inherent in using mobile devices is essential and should be part of a consistent security awareness program.
Provisions in the federal stimulus package have tightened HIPAA notification and enforcement regulations and have made HIPAA violations more costly. For example, the maximum civil penalty from the Dept. of Health and Human Services for a data breach occurring after Feb. 18, 2009, rose from $25,000 to $1.5 million.