HHS Creates Mobile Device Privacy and Security Website: High Expectations for Mobile Device Security
The U.S. Department of Health and Human Services recently posted a website focusing on mobile devices and health information privacy and security at http://www.healthit.gov/mobiledevices. The website includes five videos on mobile device security, tip sheets and frequently asked questions and answers on mobile device security, a five-step process for addressing mobile devices within a healthcare organization, and downloadable posters promoting mobile security.
The five-step process that HHS identifies includes:
1. Deciding appropriate use for mobile devices within the organization;
2. Assessing the risks associated with mobile devices;
3. Identifying a mobile device risk management strategy;
4. Developing, documenting, and implementing mobile device policies; and
5. Training the workforce on the policies.
The videos cover basics of mobile device security, focusing on issues such as including mobile devices in the risk assessment, preparing for and responding to the theft of a mobile device, and appropriate safeguards when using a mobile device to handle health information on a public Wi-Fi network.
A few takeaways from the website:
• Mobile device security is a significant priority for HHS, as evidenced by the resources put into this website and recent enforcement actions (e.g., the recent settlement with Massachusetts Eye and Ear Infirmary)
• HHS expects health care entities to explicitly address mobile device security in their risk assessment, include it in their risk management plans, implement detailed policies, and conduct training specific to mobile devices
• The website includes resources, such as the videos and downloadable posters, that organizations can consider using as part of their security training and awareness.
Based on this website and recent enforcement actions, it appears more likely that if a HIPAA-covered entity experiences a breach involving a mobile device and did not have a risk assessment, policies, and training related to mobile devices, then HHS will consider taking formal enforcement action.