2. Protect Mobile Devices
Mobile devices — laptop computers, handhelds, smartphones, portable storage media — have opened a world of opportunities to untether Electronic Health Records (EHRs) from the desktop. But these opportunities also present threats to information privacy and security. Some of these threats overlap those of the desktop world, but others are unique to mobile devices.
• Because of their mobility, these devices are easy to lose and vulnerable to theft.
• Mobile devices are more likely than stationary ones to be exposed to electromagnetic interference, especially from other medical devices. This interference can corrupt the information stored on a mobile device.
• Because mobile devices may be used in places where the device can be seen by others, extra care must be taken by the user to prevent unauthorized viewing of the electronic health information displayed on a laptop or handheld device.
• Not all mobile devices are equipped with strong authentication and access controls. Extra steps may be necessary to secure mobile devices from unauthorized use. Laptops should have password protection similar to the examples in Tip 8. Many handheld devices can be configured with password protection, and these protections should be enabled when available. If password protection is not provided, additional steps must be taken to protect electronic health information on the handheld, including extra precaution over the physical control of the device.
• Laptop computers and handheld devices are often used to transmit and receive data wirelessly. These wireless communications must be protected from eavesdropping and interception (Tip 9 describes wireless network protection). Cybersecurity experts recommend not transmitting electronic health information across public networks without encryption.
Transporting data with mobile devices is inherently risky. There must be an overriding justification for this practice that rises above mere convenience. The U.S. Department of Health and Human Services (HHS) has developed guidance on the risks and possible mitigation strategies for remote use of and access to electronic health information. 1
Where it is absolutely necessary to commit electronic health information to a mobile device, cybersecurity experts recommend that the data be encrypted. Mobile devices that cannot support encryption should not be used. Encrypted devices are readily obtainable at a modest cost — much less than the cost of mitigating a data breach.
If it is absolutely necessary to take a laptop containing electronic health information out of a secure area, you should protect the information on the laptop's hard drive through encryption.
Mobile Device Checklist
Policies are in place prescribing use of mobile devices.
All staff members understand and agree to abide by mobile device policy and procedures.
Mobile devices are configured to prevent unauthorized use.
Protected Health Information (PHI) on mobile devices is encrypted.
Connections between authorized mobile devices and Electronic Health Records (EHRs) are encrypted.