Physician Mobile Devices: Are You at Risk?

The smartphones, tablets and laptops that have become such valuable tools to many physicians can also represent real risks in the event that they are lost, stolen or otherwise compromised. Here are some ideas on how to assess and mitigate risks surrounding mobile devices in your practice.

A natural starting place is to consider whether critical data resides on your phone, tablet, or laptop. There's good news in that many cloud-based EHRs and practice management systems negate the need to store data locally, meaning if you use such a system, you've effectively removed the responsibility of protecting locally stored data. Nonetheless, even with the most state-of-the-art systems, physicians sometimes needlessly put themselves in vulnerable positions. For example, imagine if one of these devices was stolen when you or your employee was logged into one or more critical systems. Would HIPAA protected data be at risk? Only a moment is needed to envision a situation that could damage your reputation and cost your practice.

There's good news in the fact that implementing a few simple best practices can be a great start to improving your security surrounding these devices. Here are tactics to consider:

Dos:

1. As an essential first step, regularly assess what data is being stored and where as an essential first step to establishing sound security protocols.

2. Update system software frequently and replace hardware when device operating systems are no longer being supported with regular security updates

3. Encrypt your phone, tablets, and laptops. It's important to understand that having a password without taking the extra step of encrypting is easily defeated by thieves and hackers. Encryption can be accessed through security settings for your phone.

4. Always log out of devices before leaving them unattended. Yes, your devices can be stolen - sadly, it's likely that you will lose or have a device stolen sooner or later.

5. Enable Find My iPhone (http://apple.co/1PxyZik) or activate Android Device Manager so that you can erase the contents of the phone remotely in case it is lost or stolen. Laptops have similar functionality through current operating systems, but they too must be set up prior to being needed.

Use strong passwords. A simple technique: use the first letter of each word in a sentence; e.g. "I live on 226 Manchester St! becomes Ilo226Ms!

6. Consider separate Wi-Fi Internet connections for guests and employees to use for personal purposes.

7. Use reputable password managers so that you only need to remember one password while never using the same password for different purposes.

Find a staff member to become your office's mobile device security guru to help refine your internal policies and protocols and stay current on technologies and risks.

Don'ts:

1. Don't install unnecessary third-party applications. Some so-called "free applications" often access device data despite assurances to the contrary from their developers.

2. Avoid leaving devices unattended even for a moment. After hours, consider locking devices in a safe or removing them from the office altogether. One of our clients had a safe stolen by their janitorial crew; another had their laptop stolen from their car as they watched in a restaurant nearby. Thieves are quick!

3. Do not store passwords on paper that could be easily accessed. Since encryption means that your data is absolutely inaccessible without the password, you may want to store passwords on paper in a secure location.

4. Don't ignore the fact that your employees have cameras on their phones that may represent a security risk - patient records or credit cards might be photographed. Additionally, employees who browse personal data on your practice's Internet connection represent a potential risk to networked devices. Enact reasonable, but conservative, guidelines for cell phone and network use within the office; e.g., only on the "guest network" on break in the lunch room.

5. Never use unencrypted e-mail to communicate protected health information. Texts while less vulnerable to interception, could represent a threat if the device is lost or stolen, but making sure devices are locked and encrypted when not in use removes the vast majority of risk. Messaging within major EHR and practice management mobile applications is presumably secure and their use is preferred on most counts.

Joe Capkois senior consultant and partner with Capko & Morgan. In over 20 years of management consulting he has assisted practices from coast to coast on everything from business strategy, marketing, and patient satisfaction surveys. He has been a featured speaker for management associations and is currently working with his partners on a new edition of "Secrets of the Best Run Practices." He may be reached at joe@capko.com