Monday, February 13, 2012

The Privacy & Security Mobile Device Project

Recently, ONC’s Office of the Chief Privacy Officer (OCPO), in collaboration with the HHS Office for Civil Rights (OCR), launched a Privacy & Security Mobile Device project.

The project goal is to better secure and protect health information on mobile devices (e.g., laptops, tablets, and smartphones). Building on the existing HHS HIPAA Security Rule - Remote Use Guidance, the project is designed to identify privacy and security best practices for devices that are are used outside healthcare facilities or not directly under IT department control.

The HHS Remote Use Guidance may not be familiar to clinicians and IT professionals.   It was issued on 12/28/2006 and includes specific recommendations for the use of Electronic Protected Health Information (EPHI) on mobile devices, specifically (1) the use of portable media/devices (such as USB flash drives) that store EPHI and (2) offsite access or transport of EPHI via laptops, smart phones, home computers or other non corporate equipment.

The report groups its recommendations into three areas: access, storage and transmission.


Username/password protection -  to reduce the risk of keystroke loggers or stolen passwords, it recommends two factor authentication - something that you know and something that you have.

Remote access - to minimize the risk of privacy breaches, it recommends role-based access control for remote data access in combination with policies which delineate who is authorized use remote access methods.

Unattended devices - to minimize the risk of privacy breaches by those who may find a lost or unattended device, it recommends timeouts on any software used to access EPHI

Malware -  to minimize the damage done by the increasing flood of malware on the internet, it recommends personal firewalls and appropriate use of up to date anti-virus tools


Theft risk mitigation - to reduce the risk of breach when a device is lost or stolen, it recommends encryption, biometric authentication methods, and strong mobile device storage policies

Lifecycle management - to reduce the risk of data loss when a mobile device is retired it recommends  deletion/physical destruction of devices

Data cached on non-owned device - to minimize the risk that data will be left on public computers used to access EPHI remotely, it recommends training, prohibition on downloading  files containing EPHI, and application software configurations that eliminate browser caching


Off network transmission - to minimize the risk of interception, it recommends that all data transmissions require SSL, TLS, or VPN in addition to policies requiring encryption of all data in motion between organizations.

These are guidelines, not regulations, but you can bet the next time CMS/OCR investigates a breach, they will ask if you have followed the published recommendations for  access, storage and transmission.  Thus, I highly recommend you read the HHS guidance and incorporate their suggestions into your overall security program.


therealmcqueen said...

Taking the "Access" and "Storage" recommendations into consideration, are they not actually suggesting three-factor authentication?..

Something you have, something you know and, with biometric authentication, something you are.

Glen said...

While privacy and confidentiality is of concern, I would like to see much greater attention paid to two other pillars of security: integrity and availability.

NIST SP 800-60 vol. 2 rev. 1 section D.14 has a good discussion about how to characterize health IT systems for security purposes. All Federal systems are obligated to follow it.

Confidentiality breaches rate only "moderate" security. However breaches to availability and integrity rate "high", as they can cause serious harm and even kill patients.

IMHO, mobile devises present greater risks to integrity and availability faults than risks to confidentiality. Anybody who has experienced poor wireless signal or a crowded area where too many devices compete for connectivity can experience this. Unavailable or partial data and applications are a patient safety hazard. I will require solid progress before I trust my well-being to a mobile device or application.

I strongly prefer that the FDA have a lot to say about mobile health devices and applications, given their longer-than-ONC history and abilities in patient safety. The will increase my confidence.

Privacy and confidentiality are simpler. There are plenty of off-the-shelf solutions and standards to enable it. We need to stop reinventing the wheel, second-guessing prior art, and issuing reports about it. Rather, let's implement what we have in-hand and incrementally improve it based on experience.