Securing Smartphones

Personal devices, especially smartphones, are often neglected when considering the ways that electronic protected health information (EPHI) is received, stored, and transmitted in healthcare settings. While most workforce members may be prohibited from using their personal devices or smartphones to receive, transmit or store EPHI, providers often cannot avoid it. Any text, email or voice message containing EPHI will necessitate appropriate security measures on the device in order to avoid a privacy breach in the event that the device lost or stolen.

This article will outline the security measures recommended by the Office of the National Coordinator for Health Information Technology, as well as some guidance from other information technology (IT) providers. Not all smartphones or mobile devices will feature the security controls mentioned, however it is important to obtain or enable those that are available.

Delete all stored EPHI on a regular basis

It is often unnecessary to store EPHI on a mobile device once it has been used and/or documented elsewhere, like in a patient’s record. Regular removal of data minimizes risk.

Use a password or other authentication

Authentication is the process of verifying the identity of a user by requiring a password, personal identification number (PIN), or passcode to gain access to it. Enable the phone to activate a screen lock after a period of inactivity to prevent unauthorized access.

Install and enable encryption

Encryption is the conversion of data into a form that cannot be read without the decryption key or password. It is important to encrypt data that is stored on a smartphone as well as data that is sent from it, such as through text message or email. Some devices have built-in encryption capabilities, but it may be necessary to buy and install an encryption application (app) or use a secure messaging service. Ensure that mobile apps are from a trusted source prior to downloading them to your device.

Activate remote wiping and/or remote disabling

Remote wiping is a security feature that enables the user to remotely erase data on a device or smartphone if it is lost or stolen. Note that using a cloud-based system to back up data on your mobile device will ensure that it is available to you even if the device has to be erased. Remote disabling enables you to lock a device remotely if it is lost or stolen, and to unlock it if the device is recovered.

Keep your security software up to date

Enable automatic updates whenever possible to ensure that your smartphone or device has the latest tools to prevent unauthorized access to EPHI. Ensure that both application updates and operating system (OS) updates are installed promptly.

Enable (or install) a firewall

A personal firewall on a mobile device can protect against unauthorized connections. Firewalls intercept incoming and outgoing connection attempts and block or permit them based on a set of rules defined by the user. Ensure that the firewall is enabled on your device or install a firewall app.

Avoid using public Wi-Fi networks or hot spots

Information could be intercepted between your device and the Wi-Fi system connection. Ensure that data is encrypted or otherwise secured if using a public Wi-Fi connection.