5 questions you should ask about your mobile devices
Securing data in an EMS environment is critical to avoiding breaches of patient information and triggering mandatory reporting
Portable devices pose unique challenges for EMS providers because in a fast-paced, mobile environment there are a lot more chances for tablets, laptops and other devices to get lost or stolen.
Thankfully, there are simple ways to reduce the chance that your patient's information will fall into the wrong hands. Here are five questions you should ask about your mobile devices.
1. Do we minimize local storage of patient data on mobile devices?
The less data you store locally, the lower your risk.
Many ePCR solutions upload patient data onto a server when the provider clicks "submit" and many devices do not retain readable copies of that data after the data is transmitted to the server. You should ask when your patient care reports get uploaded and if your ePCR devices retain any readable copies of patient data after data is transmitted. The hardware used for ePCR writing and storage should be purged of patient data frequently to reduce the potential for larger breaches involving a lot of patients.
In addition, if your employees use company-provided laptops, you should have a strict policy against storing patient information locally — on the devices built-in hard drive, unless doing so is absolutely necessary. If users never save anything to the laptop, and instead only access data through a secure VPN channel, there should be no patient data to discover in the event a laptop is lost or stolen.
2. Are our devices encrypted?
If you encrypt data on a mobile device, you likely do not have any breach reporting obligations under federal or state law if you lose the device.
Encryption is a "safe harbor" under HIPAA’s breach reporting requirement. This means that if a device with encrypted protected health information is lost or stolen, you do not need to notify patients and the Department of Health and Human Services, provided the encryption key — a password — has not been lost.
Additionally, many state laws say that there is no reportable breach if the information was encrypted when the device was lost. In fact, some states are going as far as requiring certain entities to encrypt any personally identifiably information they hold in electronic form.
Encryption methods vary with devices and ePCR solutions. Have a conversation with your IT provider and ePCR vendor. Ask whether data is encrypted on your mobile devices. For more information about encryption methods that the government endorses, refer to the Office for Civil Right’s Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals.
3. Can our devices be wiped remotely?
Remote wiping allows you to erase and permanently delete data stored on a lost mobile device through an internet-based application. Ask your IT providers and ePCR vendors if you have this functionality on your mobile devices. The faster you are able to erase data from a lost device, the less likely it is that patient information will fall into the wrong hands.
4. Can we track our mobile devices?
Many mobile devices can now be tracked through GPS or other means. If your devices have tracking software installed and enabled, you may be able to pinpoint where the device is, or at least where it has been.
If you recover the lost device, you can run a forensic analysis on it to see if anyone has accessed the device. If no one has accessed the device, you likely have no breach reporting obligations.
5. Do we have strong access protections for our devices?
All mobile devices should have protections, such as:
- Robust login credentials. Strong passwords are usually at least six characters in length, and include a combination of upper and lower case letters, at least one number and at least one keyboard character, such as a punctuation mark.
- Unique credentials. Usernames and passwords should be unique to each user. Some agencies are still using universal usernames and/or passwords that are shared among providers, which is a very risky practice.
- Automatic logoffs. Mobile devices should be set to automatically lock after a set period of inactivity. That way, if the device is lost or stolen, someone would need to know the user’s password, PIN, or passcode to gain access. The federal government does not prescribe a certain time period for logoffs, but, a few minutes is typically the standard.
- Limited number of unsuccessful login attempts. Devices should lock after a certain number of unsuccessful login attempts and they should have to be unlocked by an administrator. Again, there is not set number of attempts prescribed by the federal government, but, three attempts is fairly standard for ePCR software.
- Additional authentication methods. You should also consider things such as voice recognition, pattern gesture recognition or biometrics, such as fingerprint recognition. Combining a password or PIN with one of these other authentication methods can further secure your mobile devices because these methods are unique to the person.
This article, originally published on April 14, 2016, has been updated