Mobile devices (phones, tablets, laptops) are being utilized more and more in healthcare organizations. They can increase work efficiency and offer convenience to both providers, employees and patients. However, mobile devices are commonly involved in data breaches and are at risk of being lost or stolen. The Office of Civil Rights (OCR) offers guidance and advice to covered entities for reducing mobile device security risks:

• Implement policies and procedures regarding the use of mobile devices in the work place – especially when used to create, receive, maintain, or transmit ePHI.
• Consider using Mobile Device Management (MDM) software to manage and secure mobile devices.
• Install or enable automatic lock/logoff functionality.
• Require authentication to use or unlock mobile devices.
• Regularly install security patches and updates.
• Install or enable encryption, anti-virus/anti-malware software, and remote wipe capabilities.
• Use a privacy screen to prevent people close by from reading information on your screen.
• Use only secure Wi-Fi connections.
• Use a secure Virtual Private Network (VPN).
• Reduce risks posed by third-party apps by prohibiting the downloading of third-party apps, allow installation of only approved apps, securely separating ePHI from apps, and verifying that apps only have the minimum necessary permissions required.
• Securely delete all PHI stored on a mobile device before discarding or reusing the mobile device.
• Include training on how to securely use mobile devices in workforce training programs.

Workforce training is crucial if employees are able to access PHI via mobile devices, both in and out of the office. Covered entities should ensure they have a Mobile Device policy in place, outlining permitted uses, permissions, and procedures to follow if a mobile device is compromised.