If you need justification to add encryption to your IT budget; here is a good one…$3 Million Fine on Mobile Device Loss.

The University of Rochester Medical Center (URMC) is once again in the news with an investigation by the Office for Civil Rights (OCR). This time the medical center is being fined for HIPAA violations related to mobile device security, specifically related to unencrypted mobile devices. This investigation followed similar investigations from 2010, 2013, and 2017.

The OCR release stated that the nature surrounding the fine was due to lack of corrective action on URMC’s part from past investigations where the use of unencrypted devices was used.

URMC’s investigations started with issues surrounding the loss of an unencrypted flash drive and the theft of an unencrypted laptop. The OCR investigation found numerous HIPAA violations, including the availability of ePHI. The failure to perform a risk analysis after the violations led to further investigations uncovering more risks.

Mobile device risks include:

  • Data leakage
  • Social Engineering
  • Wi-Fi
  • Out of Date Devices
  • Cryptojacking
  • Passwords
  • Lost/Stolen

Many organizations utilize business style laptops that are purchased with hardware encryption. With the prolific use of mobile phones, the accidental movement of ePHI into that media is a huge risk. Years ago, the use of laptops was a big concern, now the trend is with the use of mobile devices. Since most devices are primarily personal property, there should be strict policies on mobile phone use in the workplace.

Healthcare organizations are starting to make significant investments in smartphones and secure unified communications, but there is still much to do to protect patient data.

Mobile devices provide access to resources that can increase worker efficiency and productivity, yet sensitive data is vulnerable. Mobile strategies between physician and patient is developing quickly, which is yet another reason to institute policies and procedures for mobile devices in the workplace. To reduce mobile device risk, here are some tips to follow to manage mobile devices.

Mobile Device Tips:

  • Train all staff with steps to encrypt mobile phones for their protection and yours.
  • Utilize multi-factor when a mobile phone is allowed access to ePHI.
  • Conduct regular training for staff on risks of ePHI on mobile phones.
  • Use anti-malware if applicable.
  • Perform regular mobile security risk assessments.

Mobile devices are a workplace necessity and managing security and minimizing risk is attainable.