Anyone in the healthcare industry who plans on adopting a BYOD environment needs to be aware that HIPAA standards strongly recommend (though they do not require) “encryption of all corporate email, data, and documents, in transit and at rest, on all devices” that contain Protected Health Information (PHI). The law does not specifically state that they require you to have encryption. Instead, it just says that healthcare providers with BYOD are “asked” to have it. However, what do you think would happen when and if a PHI breach occurred because your office had a lost/stolen device that wasn’t encrypted? Do you think HHS would show mercy and just decide to let it pass this time?
I hope you don’t. Because that would definitely not happen.
If you do… well, then… there’s a lovely oceanfront mansion in Nevada I’d like to sell you.
When it comes to protecting PHI in a BYOD environment, device encryption is a must. It doesn’t matter if it’s not technically required by the wording of HIPAA. Trust me on this. You need to have encryption. Similarly to the device tracking and remote wipe tools we discussed in Part 2, encryption offers yet another layer of protection for PHI.
What is Encryption and Why Do I Need It?
Here is a way to think of encryption, without getting too overly technical—encryption “scrambles” data (at rest or in transit) so that it is rendered unreadable/unusable for anyone who does not have the correct encryption key. Some of you probably remember those decoder rings kids used to have back in the day (remember that scene from A Christmas Story?), which allowed the holder to decode secret messages given in numbers. However, unless the holder of the decoder ring knew the “key,” or which exact number to match up with which specific letter for that message (for example, 8-F in the below photo), then he/she still would not be able to decode it.
An encryption key works similarly. Every time a piece of data/information is accessed or transferred, an algorithm is used to apply a unique encryption to it. When the data is accessed again, or reaches its intended recipient, it can only be decrypted once the unique encryption key for that item (usually executed by entering a password or some other credentials) is applied. Luckily, there is no need to manually decode the encrypted information like with the old decoder ring (even better, you can acquire encryption without having to drink sickening quantities of Ovaltine). Even for those of you not working in a BYOD environment, encryption also offers a way of making sure your personal data is not being pilfered by the NSA.
Encryption is a very useful tool when it comes to privacy and cybersecurity. What it isn’t… is foolproof. Since it still relies on passwords or login credentials, anyone who manages to steal or crack these can obtain the necessary encryption keys they need to access your data. Therefore, it is extremely important to have a strong password creation and management policy in any BYOD environment. Remember, locks only work when thieves do not have access to the keys.
As mentioned at the beginning of this article, a lost or stolen device that is not encrypted is more than enough to qualify for multiple HIPAA violations. Without encryption, HHS assumes that any missing device has been stolen and that any PHI data it contains has been compromised. Don’t forget, HHS considers each patient’s compromised PHI as a separate violation (one incident does not equal one violation). At a minimum of $1000 per violation, with an annual fine cap between $25,000 to $1.5 million (depending on to what degree HHS determines your organization is at fault or has demonstrated negligence), just one lost or stolen unencrypted device could easily become the cause of financial ruin for a small healthcare practice.
What Needs to Be Encrypted?
Here’s a pretty simple guideline to follow—encryption should be applied to any device in a BYOD environment that even has the potential to store or transmit PHI data and can be easily moved/used outside of the office. This would include such devices as laptops, mobile data storage devices (i.e. USB sticks and external hard drives), smartphones, tablets, etc.
Some of your office’s devices may actually already be encrypted, so you should probably have a discussion with your IT personnel to find out which devices are (or are not) encrypted. To be honest, even if your office is not in a BYOD environment, you should already be using encryption on all desktop computers and servers if you are storing or working with PHI data.
How Do I Encrypt Mobile Devices?
How you use encryption depends a lot on what sorts of devices you plan to encrypt. For example, with both laptops and mobile devices, encryption options differ from one operating system to another. Also, encryption for a laptop is not going to be done in the same way as it would for, say, a smartphone or tablet. What’s more, when you get down to encryption for mobile devices, this can depend on how many separate things you want to have encrypted—text messaging, voice calls, etc. You see, if the device as a whole is encrypted, then the encryption key is going to be your unlock PIN or passcode (which, as mentioned earlier, can be broken). However, if separate encryption has been setup for other apps/functions, then that means separate encryption keys will be needed in order for a thief to access those apps/functions. It all comes down to how many layers of security you feel are necessary to protect PHI. If no one in your BYOD environment is discussing PHI in text messages (which, from a safety standpoint, is not advisable anyway) then you probably don’t need to have an encryption option for texting.
I would recommend sitting down with your office/practice IT personnel and discussing how you plan to use the devices in your organization’s BYOD environment in order to figure out how to best make use of encryption for your situation. However, having a bit more knowledge on the matter certainly couldn’t hurt. Therefore, a number of resource links for specific device encryption methods have been provided below:
- Laptop encryption: MacBook FileVault
- Laptop encryption: Windows BitLocker
- Phone/tablet encryption: Android
- Phone encryption: iPhone
- Tablet encryption: iPad (this one is actually surprisingly easy)
- Encryption apps across various platforms: Text and Voice Call Encryption
Thank you for reading Part 3 of our “BYOD in Healthcare” blog series. In our fourth and final installment, we will discuss how to create a strong, clear, and HIPAA-compliant BYOD policy for your office or practice.