Don’t Let Your Laptop Give up Your Patients’ PHI

As more physicians, nurses and other healthcare workers rely on their smartphones, laptops and tablets to perform their duties and access instant information, the risk of becoming a target for cyber thieves increases.

But understanding best practices for securing your company’s mobile devices and employing them should allow you to stay HIPAA compliant while keeping your patients’ personal information secure.

Many healthcare organizations are unsure about the regulations they’re required to follow. According to a Ponemon Institute report, 67 percent of respondents say their organization must comply with US state privacy and data breach laws, yet only 18 percent believe these laws specify the protection of regulated data on mobile devices. Such perceptions result in organizations not being in compliance and facing potential regulatory fines and legal action.

This report also found that many organizations mistakenly believe that mobile devices will automatically protect Personal Health Information (PHI) because of their advanced technology.

Not true, say Sword & Shield experts.

“Mobile devices, including laptops and smart phones certainly make the healthcare professional’s job easier,” said Sword & Shield Director of Enterprise Solutions and Healthcare Compliance Fred Cobb. “But one look at the HHS Breach Portal (Wall of Shame) shows that an inordinate amount of breaches that have affected thousands of healthcare consumers come from the result of theft or loss of mobile devices.

“These devices being lost, stolen, or otherwise compromised, if adequately secured or protected by encryption, would not have resulted in a reportable breach,” Cobb said. “But due to companies not following sound security practices such as endpoint encryption or other security best practices, these devices can easily fall into the wrong hands of criminals or would be cyber thieves that can capitalize on the financial value of the Personally Identifiable Information (PII) contained in an individual’s health care record.”


If you’re only using encryption because it’s considered a safe harbor under the HIPAA Security Rule, then you probably haven’t considered the other dangers inherent in using a mobile device.

Loss and theft top the list, but other risks can lead to a breach of PHI, including a lack of authentication, unsecured Wi-Fi networks, mobile malware, accidentally disclosing data by sharing your device and using outdated software.

And, on most mobile devices, only certain apps are encrypted, leaving open information sent via email or text, for example.

Security Policies

In addition to following HIPAA guidelines and ensuring your devices are encrypted and passcode-protected, the best protection is knowledge and training.

Do you know your organization’s security policies? Does your organization have security policies?

The Ponemon study cited above found that more than 75 percent of employees circumvent or disable security features on their mobile devices – usually in an attempt to make their jobs easier.

Our Enterprise Security Solutions team of security and compliance experts help health care covered entities and business associates achieve and maintain a secure and compliant environment.

“We work with health care companies and health care providers on a daily basis to: develop meaningful policies and procedures; develop and, upon request, deliver HIPAA Security and Privacy training: architect and integrate security technologies such as Data Leak Protection (DLP), logging and monitoring solutions and much more,” Cobb said.

Comments are closed.