Mobile Device Security Best Practices to Adopt

There is a significant threat of data theft and loss as a result of using mobile devices or implementing a BYOD scheme; however there are a number of mobile device security best practices that can be adopted that will reduce the risk of suffering a data breach or security incident.

It is understandable that many health IT professionals and CISOs delay implementing a “Bring Your Own Device” scheme, or avoid it completely. Regulatory bodies are keeping a close watch on healthcare providers and other HIPAA-covered entities and fines are being issued for federal and state policy violations.

No Alternative but to Implement a BYOD Scheme

Healthcare privacy and security rules are already restrictive, but later this year they will become stricter still. On top of this, physicians and other healthcare professionals are calling for BYOD schemes to be introduced to allow them to use their own devices at work: Smartphones, tablets and laptops; rather than being forced to use slow and old hospital communication systems.

Healthcare insurers and healthcare providers will soon be forced to introduce a BYOD scheme regardless of the risks. Portable device use is growing and the benefits of introducing new mobile technology into a healthcare setting are numerous. It therefore makes sense to adopt a BYOD scheme as early as possible to ensure the maximum benefit can be obtained.

Embracing new technology is essential if healthcare providers are to move from a paper-based medical record system to a modern, efficient and fast EHR. With this in mind we have listed some mobile device security best practices to adopt to keep mobile devices secure and minimize the risk of a user violating HIPAA regulations.

Mobile Device Security Best Practices

If you want to get the maximum benefit from your BYOD scheme – while ensuring all stored and transmitted data are secured – incorporate these mobile device security best practices into your security policies.

Develop Device Use Policies

It is essential that a governance policy is developed and introduced that lays down the rules on device usage for work purposes. The policy should list the allowable uses of portable devices, what is expected of employees and detail the categories of staff members that can adopt the scheme. Supported devices must be listed and rights the IT department has with respect to the device and stored data should be documented. Policies should be comprehensive, and must include rules covering day to day device usage as well as during emergencies.

Conduct Staff Training on Device Usage and Privacy and Security Rules

All members of staff opting into a BYOD scheme must be issued with policies and procedures to follow. Efforts should be made to make sure employees understand what is required, and the rules covering data privacy and security. Staff must be advised of state and federal data protection and security laws as well as internal policies and procedures.

Employees may lack an understanding of technology, even if they own multiple mobile devices. Others know a great deal, yet lack knowledge of how mobile devices work; how they transmit data and the security risks associated with mobile devices. If this information is communicated to employees they can take responsibility for data privacy and security and make efforts to ensure data is kept secure. Employees are responsible for causing numerous data breaches and HIPAA violations each year, often unwittingly. Ensuring the staff has knowledge of security procedures, and the reasons why they are needed, will reduce the risk of an employee data breach.

Register, Log and Monitor All Mobile Devices

Once devices have been authorized, it is essential that their use is monitored. Employees can be trained on HIPAA and hospital rules, but it does not mean that those rules will be followed 100% of the time. A system should be put in place that monitors device usage and alerts the security team if users break the rules.

It should be made as hard as possible for employees to side-step company IT security policies. When this does happen it must be identified and addressed rapidly.

Encrypt all Data on Mobile Devices

If data must be stored on a portable device it must be encrypted. Data encryption should also be used for email communications, and a Smartphone healthcare messaging app should be used to protect PHI sent via text message. It should be made as hard as possible for HIPAA violations to occur, and as easy as possible for secure communications to be sent.

Wipe Data when Decommissioning Mobiles

All devices used to store, access or transmit PHI must have all data securely erased prior to disposal under HIPAA Rules. The rules apply to Smartphones and other portable devices, even if those devices are not actually owned by the covered entity.

Policies should include the deletion of data from mobile phones when it is no longer required or poses a security risk. Before mobile devices are accepted for use in a BYOD scheme, remote data deletion software should be installed.

Restrict Network Access

HIPAA requires access to PHI to be restricted as far as is possible. Access rights should be assigned based on position, or tailored to the individual. This may not be possible for large organizations, so it is best to assign access rights by position. Physicians and nurses, for example, should not have the same access rights. Billing and administrative staff, would require even fewer access rights.

Use Virtual Desktops

To improve healthcare data security consider using desktop virtualization. Install virtual desktops on virtual servers and endpoint users can accesses software and data remotely. The user gets an experience that is familiar, while data is kept secure.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of