Leon Rodriguez, JD: Hello, I'm Leon Rodriguez, Director of the Office for Civil Rights at the United States Department of Health and Human Services. I would like to welcome you to this program titled "Your Mobile Device and Health Information Privacy and Security." With me today is Dr Farzad Mostashari, National Coordinator for Health Information Technology. Welcome, Farzad.

Farzad Mostashari, MD, ScM: Nice to be here, Leon.

Mr Rodriguez: Farzad, I want to share with our audience the goals of this program. They are to review their obligations under the HIPAA Security Rule to safeguard their patients' electronic protected health information (ePHI), to highlight tips for ensuring that ePHI is secure on mobile devices and finally, to identify resources where they can find more information on compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.

Farzad, I thought it might be interesting in your role as National Coordinator for Health Information Technology to talk about the growing importance of mobile devices in today's medical practice.

Dr Mostashari: Absolutely, Leon. These devices are great. Our patients use them, we use them in our own lives, and we are now beginning to use them more and more as part of delivering health care. They're always with us, they are connected to the Internet, and they are a platform on which all sorts of applications and services could be loaded. That is what makes them so powerful. Each of those items -- the fact that we take them around with us, the fact that they are connected to the Internet, and the fact that they can put all different sorts of applications on top of this platform -- also introduce risks.

Mr Rodriguez: What we're going to talk about today is the idea of patient trust. Maybe you can talk a little bit also about how patient trust fits into the equation of being able to use these mobile devices.

Dr Mostashari: Absolutely. Patients expect that their healthcare providers are going to keep their information private and secure. We also know that those covered entities and their business associates are required to be in compliance with the HIPAA Security Rule. Mobile device security is your obligation; know the risks, take the steps, secure and protect your patients' health information.

Mr Rodriguez: We are going to show a short video that is going to illustrate the kinds of ways in which ePHI can be placed at risk.

Dr Mostashari: When reviewing your HIPAA compliance related to mobile devices, organizations in healthcare should consider the following questions:

• Who owns the devices?
• Are personal devices that are used at work registered?
• Are you using a virtual private network (VPN) to exchange information so the information does not actually reside on the device? (Once the connection is broken, there is no information stored.)
• Do you back up personal health information from the mobile devices onto the servers?
• Can you remotely wipe off the devices if they are lost or compromised?
• Have your policies and procedures been updated to address mobile devices?
• Finally, is your workforce properly trained?

Mr Rodriguez: I would like to expand on a couple of the points that you highlighted. When we are talking about who owns the devices, there is obviously a different level of control if the device is owned by an individual employee or a physician or if it is actually a device owned by your enterprise, so you can control the nature and content of that device. Wiping off devices is not a concept that I think everybody knows. Many devices these days have an ability to actually erase anything that is on that device from a remote location. That provides a critical added level of security if that device is lost or stolen.

There are some best practices if a device is lost or stolen, which you can engage to minimize those sorts of risks. One, of course, is password protection or some other key in order to disable access by a third party that does not have the authority to use that device. You can also have a device deactivated after a period of time -- the kind of thing that happens when your screen saver comes on your computer. Providers are counseled to avoid storing data actually on the device.

Dr Mostashari: That's the safest thing.

Mr Rodriguez: These days with cloud computing with servers, there are ways to remotely store data so if the device becomes compromised, it does not actually reach the data.

Depending on who you are, your level of resources, and what kind of organization you are in, another option is to encrypt the device. When we talk about encryption, it basically means scrambling the data on the device and then having some sort of electronic key that will let the right person unlock the device. That may not always be the right solution for every enterprise but it is certainly something we encourage.

We talked about wiping technology before - - that is an important best practice and relatively easy to use. We also encourage enterprises to either disable file sharing or to not use it at all and finally to install or enable firewalls that prevent other sorts of invasions into critical information. I think you have some additional best practices that you might like to talk about.

Dr Mostashari: That's right. It is always important to install and enable security software and keep that security software up to date. It is important not to just download apps without doing a little research on the security of those applications. Maintaining physical control of the devices is very important and it can be tempting to click on the free Wi-Fi, but be aware that when you are logging into public Wi-Fi, it is a vulnerability -- it is potentially pretty simple to eavesdrop electronically on the information spilling back and forth on your device. Finally, if you are going to reuse or discard a device, make sure you delete all stored data, in particular, any personal health information if any is stored before discarding or gifting the device.

Mr Rodriguez: I might like to underscore that last point. It is something that we see a lot of in the Office for Civil Rights, in which you return either a leased device or a piece of equipment or you stop using it but you fail to get rid of the information on there. A lot of times that puts that information right out in the public domain. Recently, we resolved a case in which a physician's practice returned a digital photocopier that was then leased to a major network and the network discovered all kinds of easily accessed protected health information on that device. That shows how important that point you just made is.

There is a common sense, 5-step process for developing a policy to protect mobile devices. The first, of course, is deciding what you want to do about how you use mobile devices. Why don't you elaborate on that a bit?

Dr Mostashari: That's right. First of all, plan ahead. Decide to what extent and how mobile devices are going to be used to access, receive, transmit, or store patient health information, and how they are going to be used as part of your organization's internal networks and other systems, like your electronic health record systems. It is really important to understand and to mitigate the risks to your organization before you allow the use of mobile devices.

Mr Rodriguez: The critical thing here is we are not discouraging people from using the devices but we are asking to be mindful about the manner and extent to which they are going to use those devices.

Dr Mostashari: That's right: Be thoughtful.

Mr Rodriguez: The second step -- once you have decided where and how and in what manner you are going to use those devices -- is to make an assessment of the risks that those devices may present. You want to think both in terms of the risk that resides on the devices and how that risk fits in the overall picture of the health information that your organization holds. That requires you to conduct a risk analysis. When we talk about risk analysis we are really talking about looking at what information is stored, how that information may be vulnerable, what threats there may be to that vulnerable information, and the probability of those threats coming to pass.

How you conduct that risk analysis is going to depend on who you are and what kind of practice you have. If you are a solo provider, you might conduct that risk analysis on your own. If you work in a larger organization, maybe a multiphysician practice or even in a hospital, then your organization or an office manager might be the one who is going to conduct the risk analysis.

The next critical step is to identify the strategy.

Dr Mostashari: Once you have assessed what the risks are, then you have to identify what your risk management strategy is going to be, including privacy and security safeguards. One thing to make sure everyone understands is that whatever your strategy is, it needs to provide for evaluation of that strategy and ongoing maintenance of the mobile device safeguards you have in place.

Mr Rodriguez: The key at this stage is to know what you have. Where is the electronic health information stored? It is not always in obvious places. We think about our computer systems, we think about those tablets we might be using, but it also might be on a piece of medical equipment. It might, in fact, be on a device that you might carry out portably. It might also be on mobile devices that a patient may, for a variety of reasons, end up carrying. You need to be aware of all those possible locations for health information and do a proper risk analysis to make sure you maximize the level of protection.

Dr Mostashari: One thing, Leon, that I would highly recommend to providers is to never let someone stick a USB drive into your servers or your computers. That is a classic way they end up getting infected. In addition to the kind of mobile devices we are talking about, all those thumb drives and USB drives carry real risks.

Mr Rodriguez: That 20-second lapse of letting somebody invade -- that could significantly compromise your patients' information.

You've done the assessment, you've thought about what kind of steps you want to take, now it's time to actually develop, document, and implement. Before I get into the details, I want to talk about that middle word, "document." As you know, we in the Office for Civil Rights are an enforcement organization. We conduct investigations and the first thing we look at is documentation. What does the paperwork say about what an organization did to protect its patient information? I am often fond of saying that it is a lot like fifth-grade math. ...

Dr Mostashari: Show your work, right?

Mr Rodriguez: The most important thing, that is absolutely right, is to show your work. First, you need to have a documenting mobile device management policy. You need to talk about how you are going to inventory those devices, what's on those devices, and what those devices are. That also means being aware, not only of the devices that you own, but the devices that your employees own, and on which device your information may either reside or pass through.

You need to decide whether you are even going to allow your employees to utilize their own devices as part of your practice. You need to think about what restrictions you may want to impose on mobile use and what security configurations and technical controls you may want to place We do not prescribe those as a matter of the HIPAA Security and Privacy Rules; these are industry standards. The National Institute of Standards Technology has some clearly articulated standards but because we recognize that we are speaking to a lot of different kinds of environments, we do not prescribe specific security and technical controls.

Thinking about information storage, you want to avoid having patient information on those mobile devices all together. You want them in a server or in a cloud location or something like that. You need to think about how you are going to recover a device that might have been compromised, stolen, or lost.

Dr. Mostashari: You need to deactivate it.

Mr Rodriguez: Yes, how are you are going to deactivate that device? Finally -- this is not always the most comfortable thing -- you need to think about workforce sanctions. You are a physician and you understand that it's not just about you living by these rules but it is about your staff in your office understanding that they are going to be held accountable for the consequences and rules. That goes to the next concept of training. I think you have some tips to share with us as to how you would accomplish that.

Dr Mostashari: What we find in implementation of any sort of change within the practice and software and security is that there needs to be ongoing awareness and training. When it comes to privacy and security, there needs to be ongoing training around the risks when using mobile devices so people understand the vulnerability and the threats. You need to understand and train folks on how to physically secure the mobile devices so the chances of them being lost or stolen are reduced. We see this a lot where they're not locked up, not kept secure.

Then, how about the information on the device? If any personal health information is on the device, it really should be protected and secured, encrypted, for example. In general, staff members need to know how to avoid common mistakes when using mobile devices like downloading apps or going to websites that are more likely to be infected.

Mr Rodriguez: I appreciate you alluding to the idea of these are common-sense steps. There's nothing exotic, nothing hyper-technical. We're really talking about common steps that you would take in your ordinary day-to-day life to protect anything that you want to protect.

Let's summarize a bit. A point that I would like to make is that the HIPAA Privacy and Security Rules are meant to be more than binders on a shelf. They're meant to be a living, breathing process.

Dr Mostashari: It is also part of "meaningful use." I know a lot of providers are engaging and moving toward the meaningful use requirements and it does require that you pay particular attention to documenting your security assessment in light of the changes that are taking place, keeping that up to date, and reviewing and mitigating any risks that would be found.

Mr Rodriguez: This all takes diligence. It is not meant to overwhelm your practice but there is a little of work involved. It is critical because it is all about your patients' trust, as you have said.

We have a lot of information that our offices have made available to providers. That can be found at Mobile Health Security: Mobile Health Device Privacy and Security, a wonderful tool that I recommend providers visit. Our own website, the HHS Office for Civil Rights contains additional detailed tools and guidance.

Farzad, it was a real treat working with you today and discussing this topic.

Dr. Mostashari: Thanks for the partnership.

Dr. Rodriguez: Thank you all for participating in this activity. You may now take the CME posttest by clicking on the "Earn CME Credit" link. Please also take a moment to complete the program evaluation that follows.