The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law requiring the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
For HIPAA compliance, organizations should do a few things to maintain compliance on all mobile endpoints:
1. Ensure devices and data are properly secured and encrypted. IT teams should always enforce mandatory encryption even for Bring Your Own Devices (BYOD) for handling corporate data and corporate-owned endpoints relating to:
a. Data transmission and storage. Is the data encrypted both at rest and in transit?
b. Regularly monitoring systems for potential security issues, operating system patches and other updates identified from various scanning devices available by your organization or by the cell phone provider contracted out to provide mobile service to your organization.
c. Enhanced security and networking policies and tools to prevent data loss protection instances, and to ensure the phone or mobile device is updated with the latest features to prevent malicious attacks.
2. Implement strong authentication controls. Organizations must always have strong authentication measures in place so that unauthorized users can’t access confidential data. This includes the most up-to-date Identity Access Management (IAM) authentication protocols. It also requires single sign-on and two-factor authentication methods. An organization’s secure password policies must be approved, which is often overlooked. Typically, the chief information security office updates and reviews these policies on an annual basis, but the location of those policies has been shared among all employees.
There are many instances where an organization has and or will continue to neglect fully reviewing the security policies annually. And when audited, the organization is left scrambling to update the required policies. This is because of the lack of their own due diligence.
3. Establish clear devise usage policies. It’s the organization’s responsibility to ensure that users have the resources and knowledge to remain HIPAA compliant. Those policies should include specifics such as who can access these devices, how often users must update them, and which apps users can install on the organization’s work phones. Most often, organizations will neglect the responsibility of properly training their staff on what apps can be downloaded to their mobile devices, and what actions will be taken against the employee should unauthorized apps be loaded knowingly against company policy.
4. Conduct regular security audits. Administrators who have been tasked with oversight of this responsibility should enforce and regularly audit all mobile devices used by current staff members for any business or personal business performed on those company-owned devices. It’s the employees’ responsibility to ensure that the use of mobile devices is in accordance with the acceptable use strategy that has been approved by upper management within the company.
5. Carefully manage applications. The IT department within every business must ensure that the application’s data containing company proprietary information is digitally sandboxed to control how data can be accessed, viewed, shared, or stored. Many tools allow this task to be performed. But this must be monitored on a regular basis. Admins can always configure the data loss prevention policies to control and manage how the apps interact with other apps and data within the operating software. Many apps already have additional application-based controls for enhanced data security. However, it’s still the employees’ responsibility to be aware of the organizations’ policies as to what is and is not allowed. If there are any questions about what can be downloaded, these matters must be taken up with the appropriate personnel management.