Protecting Mobile Devices From Breaches



Health care professionals and providers are increasingly using mobile devices for clinical purposes.  A study in 2013 by Deloitte Center for Health Solutions found more than 40% of providers use mobile phones for clinical purposes.  Another study by Cisco found that 88.6% of health care workers use their personal smartphones for work purposes. 


The majority of data breaches of Protected Health Information (PHI) reported to HHS are related to the theft or loss of mobile devices.  In at least two cases in the past, the loss or theft of mobile devices has resulted in settlements of over $1M.


What does HIPAA require?


If health care staff and providers are utilizing mobile devices to access, store, or transmit Protected Health Information (PHI) of patients, certain controls must be in place.


HIPAA required covered entities to conduct periodic risk assessments of potential risks and vulnerabilities to PHI maintained on all systems, including mobile devices.  HIPAA also requires entities to have safeguards and policies and procedures in place for addressing those threats and vulnerabilities.


How can I prevent breaches on mobile devices?


The following are some controls an entity can put in place to prevent data breaches on mobile devices:

  • Implement an Access Control Policy which requires user authentication to access mobile devices, including complex passwords

  • Ensure that encryption is in place and enabled on all mobile devices that access, store, or transmit PHI

  • Implement VPNtechnology before sending or receiving PHI to protect against interception by a third party

  • Implement a secure HIPAA compliant text messaging policy (INSERT LINK FOR BLOG)

  • Check all device default settings and ensure that the appropriate security features are enabled

  • Provide workforce training and awareness to employees for remote working

  • Install or enable firewalls to block unauthorized access

  • Install or enable mobile security software to protect from viruses, malware, spyware, etc.

  • Properly wipe all PHI before a mobile device is discarded or re-used

  • Ensure there is an automatic lock or log off functionality in place

  • Maintain an inventory of all devices used to access, store, or transmit PHI

  • Lastly, ensure security software and controls are kept up to date!



It is the law to protect your patient’s PHI on any media or device used within the entity.




If you find this information to be useful, please subscribe to our blog here.