What Does the HIPAA Security Rule Say About Mobile Computing?

HIPAA 42 CFR Part 2 featured

With modern computing increasingly moving into a mobile paradigm of remote workers, laptops, and smart devices, the threat to security in various industries is only increasing. This is no more true than in healthcare, where HIPAA breaches related to mobile devices are becoming more common. 

This article will discuss the HIPAA security rule, how it governs mobile devices in regulated settings, and how to minimize your attack surface and liability. 


What Is the HIPAA Security Rule?

The HIPAA Security Rule is a security framework established in 1996 to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). The rule applies to covered entities and business associates to protect their data from unauthorized disclosure to parties outside of a healthcare relationship.

The Security Rule establishes a framework of administrative, physical, and technical safeguards that organizations must implement to ensure the security of ePHI:

  • Administrative Safeguards: Administrative safeguards include risk management, workforce training, information access management for ePHI, or security and incident response planning. 
  • Physical Safeguards: Physical measures include facility access control, device access control, and workstation security.
  • Technical Safeguards: These measures include identity and access management, encryption, and technical auditing capabilities. 


What Does the Security Rule Say About Securing Mobile Devices?

HIPAA 42 CFR Part 2

The HIPAA Security Rule doesn’t explicitly mention mobile computing devices, but the above-listed rules will apply nonetheless. Additionally, because these devices come with unique vulnerabilities, different aspects of the Security Rule will apply differently. 

Some of the relevant security measures that play a role in securing mobile devices under HIPAA include:

  • Workstation Controls: Devices should be secured against unauthorized access. This can include disallowing unauthorized users to see or access these devices (or information contained therein) while they are in use. Also, maintain correct and up-to-date inventories of devices and their status.
  • Device Controls: Implement procedures for the disposal, reuse, and movement of electronic media containing ePHI, such as laptops and mobile devices, and establish tracking and inventory processes.
  • Lost or Stolen Devices: Implement procedures to identify and retrieve lost or stolen devices containing ePHI to minimize the potential information breach.
  • Identity and Access Management: Implement unique user identification, password management, session timeouts, and multi-factor authentication (typically with biometrics) to ensure that only authorized individuals access devices.
  • Information Access Management: Restrict access to ePHI through devices and apps secondarily to device authorization, never assuming that the device user is authorized to access that information by default.
  • Workforce Training and Management: Train employees on security policies and procedures related to laptop and mobile device usage.


    How Big a Problem Can Unsecured Devices Be?

    There have been instances where covered entities were fined for HIPAA non-compliance due to the failure to secure a laptop or mobile device. In fact, there is a growing concern that with the move towards mobile computing, these problems will only grow without proper attention from covered entities. 

    Some examples of these breaches include:

    • The Alaska Department of Health and Social Services agreed to pay $1.7 million to settle potential HIPAA violations. The incident involved a stolen USB hard drive containing ePHI from a DHSS employee’s vehicle. The OCR investigation found that DHSS needed to adequately implement risk analysis, risk management, and device and media controls.
    • The Hospice of North Idaho agreed to pay $50,000 to resolve potential HIPAA violations after an unencrypted laptop containing the ePHI of 441 patients was stolen. The OCR investigation revealed that the hospice had not conducted a risk analysis to safeguard ePHI and had not adopted appropriate policies and procedures to address mobile device security.
    • Concentra Health Services agreed to pay $1.725 million to settle potential HIPAA violations after an unencrypted laptop containing the ePHI of 870 individuals was stolen from one of its facilities. OCR’s investigation found that Concentra had failed to sufficiently remediate and manage risks to ePHI on its workstations and laptops, particularly concerning encryption.
    • The Feinstein Institute for Medical Research agreed to pay $3.9 million to settle potential HIPAA violations. The case involved the theft of a laptop containing the ePHI of approximately 13,000 patients from an employee’s car. OCR’s investigation found that Feinstein had not adequately conducted risk analyses or implemented appropriate security measures to protect PHI on portable devices.


          What Can I Do to Secure Mobile Workstations for HIPAA Compliance?

          Covered entities can take several steps to secure mobile workstations and remain HIPAA compliant. These measures should address the administrative, physical, and technical safeguards outlined in the HIPAA Security Rule. Some steps include:

          • Use Strong Authentication: No devices should be left open to users without strong authentication, typically using MFA and biometric systems (facial or fingerprint scans being the most common for most devices).
          • Implement Mobile Device Management: MDM solutions can help enforce security policies, manage device settings, track inventory, and remotely wipe or lock lost or stolen devices through a centralized interface.
          • Always Update: Ensure all devices have the latest updates and security patches.
          • Train Employees: Provide ongoing training on adequately handling devices, including storage and maintenance, while in use.
          • Monitor Devices: Regularly review logs and audit trails to identify potential security incidents or violations of organizational policies. Investigate any suspicious activity promptly and take appropriate action.

          By implementing these steps, covered entities can strengthen the security of their mobile workstations and better protect ePHI, ultimately helping them remain compliant with HIPAA regulations.


          Stay On Top of HIPAA Security with Continuum GRC

          Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

          • FedRAMP
          • StateRAMP
          • NIST 800-53
          • FARS NIST 800-171
          • CMMC
          • SOC 1, SOC 2
          • HIPAA
          • PCI DSS 4.0
          • IRS 1075
          • COSO SOX
          • ISO 27000 Series
          • ISO 9000 Series

          And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.

          Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

          Download our company brochure.

          Continuum GRC