Protecting PHI on a mobile device

Posted: Jul 22, 2015
Share This:


Healthcare organizations and other covered entities have an obligation to protect the privacy of the their patients’ ePHI (electronic protected health information). The HIPAA Security Rule requires covered entities and business associates to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting patients data. As part of this requirement, they must:

  • Ensure the confidentiality, integrity, and availability of all ePHI they store, receive, maintain or transmit.
  • Identify and protect against reasonably anticipated threats to the security or integrity of the information.
  • Protect against reasonably anticipated, impermissible uses or disclosures.
  • Ensure compliance by their workforce.

However, the unfortunate reality is that most healthcare organizations are failing to comply with these rules, and the increased adoption of mobile devices is partly to blame.

The Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data, conducted by Ponemon Institute, revealed that more than 90% of healthcare professionals have experienced a data breach within their organization at some point, and 40% had experienced more than five data breaches over the past two years.

The study also revealed that the biggest concern regarding data security for organizations is staff negligence, which is understandable when you consider that 96% of organizations say they had experienced a security compromise as the result of a lost or stolen device.

With mobile phones and tablets now commonplace in many healthcare organizations, patient health information is more vulnerable than ever, and therefore organizations need to ensure they are taking every precaution to ensure their devices are secure, should the device be lost or stolen, or should they fall victim to a malicious attack.

Here are some tips to help you keep patient’s ePHI secure on your mobile device.

Be smart: Use strong passwords and access keys as way of authentication, and ensure your device is locked whenever it is not in use. You should enable screen locking after a set period of inactivity, to minimise the risk of an unauthorized users gaining access to the device if left unattended – to that end, never leave a device unattended.

Eliminate email: Email is inherently insecure, mainly due to the potential for human error; sending information to the wrong recipient, for example. The biggest issue with email though is password management, as many fail to follow best practice when setting passwords that they believe to be secure.

To avoid putting patient’s ePHI at risk, organizations would be wise to move away from email platforms altogether and invest in a secure cloud fax solution as an alternative.

Avoid using unsecured networks: Public Wi-Fi networks are an easy way for unauthorized users to access and intercept information, which means you should stop and think carefully before connecting to your local coffee shop’s Wi-Fi, for example. As a minimum, users should change the settings on their device to ask permission first before joining any networks.

Think before downloading applications: Even the most legitimate looking mobile applications could be carrying malicious software, so it’s always best to err on the side of caution and avoid downloading anything unless you are certain it is safe to do so.

Embrace the cloud: ePHI stored on the phone itself – on the onboard memory or sim card – could be easily accessed by unauthorized users, and is therefore not secure. You should therefore use a HIPAA compliant document management solution to manage ePHI on your mobile device.


Mobile devices offer healthcare professionals a user-friendly way to access and transmit health records when out in the field, but this convenience should not be at the expense of security. If your organization uses mobile devices to store, manage, share, or transmit ePHI, then you should take every precaution to protect that information.