Data Breach, Education, HIPAA / HITECH Enforcement, Tip of the Week, Trends & Technology

Part Three of the Practical Security Series: Solution



Solutions for cyber security

Note: Number nine pertains to Mobile Device protection, and a strong password is the best tip. For more information

  1. Use Strong Passwords and Change Them Regularly – Visit Microsoft Safety and Security Center to see if your password is strong enough:
  2. Install and Maintain Anti-Virus Software
  3. Use a Firewall
  4. Control Access to Protected Health Information
  5. Control Physical Access
  6. Limit Network Access
  7. Plan for the Unexpected
  8. Maintain Good Computer Habits
  9. Protect Mobile Devices
  10. Establish a Security Culture

Protect Mobile Devices

Mobile devices—laptop computers, handhelds, smart phones, and portable storage media— have opened a world of opportunities to un-tether EHRs from the desktop. But these opportunities also present threats to information security and privacy. Some of these threats overlap those of the desktop world, but others are unique to mobile devices.

  • Because of their mobility, these devices are easy to lose and vulnerable to theft.
  • Mobile devices are more likely than stationary ones to be exposed to electro-magnetic interference (EMI), especially from other medical devices, such as MRI machines. This interference can corrupt the information stored on a mobile device.
  • Because mobile devices may be used in places where the device can be seen by others, extra care must be taken by the user to prevent unauthorized viewing of the PHI displayed on a laptop or handheld device.
  • Not all mobile devices are equipped with strong authentication and access controls. Extra steps may be necessary to secure mobile devices from unauthorized use. Laptops should have password protection that conforms to that described in Practice 1 . Many handheld devices can be configured with password protection and this should be enabled when available. Additional steps must be taken to protect PHI on the handheld, including extra precaution over the physical control of the device, if password protection is not provided.
  • Laptop computers and handheld devices are often used to transmit and receive data wirelessly. These wireless communications must be protected from intrusion (Practice 6 describes wireless network protection). PHI transmitted unencrypted across public networks (e.g. the Internet, public Wi-Fi services) can be done where the patient requests it and has been informed of the potential risks. Generally, however, PHI should not be transmitted without encryption across these public networks.

Transporting data with mobile devices is inherently risky. There must be an overriding justification for this practice that rises above mere convenience. If healthcare data is stored on the mobile device, ensure that encryption is installed and enabled. The newest iPhone models have achieved FIPS 140-2 certification for their encryption modules. Mobile devices that cannot support encryption should not be used. This includes the inexpensive memory sticks or thumb drives that are widely available and often given away by vendors. Encrypted versions of these devices are readily obtainable at a modest cost—much less than the cost of mitigating a data breach. Remember to encrypt the removable media like the microSD card in your phone.

If it is absolutely necessary to take a laptop out of a secure area when the laptop contains patient data, the laptop’s hard drive should be encrypted. Encryption for laptops has become so affordable, and so easy to install and manage, it is hard to envision a reason that all laptops are not encrypted today. To leave a laptop unencrypted is to invite unnecessary risk to your organization and to ignore the benefits such as safe harbor from federal and state data breach laws.

Policies specifying the circumstances under which devices may be removed from the facility are very important and all due care must be taken in developing and enforcing these. The primary goal is to protect the patient’s information, so considerations of convenience or custom (e.g. working from home) must be considered in that light.

But I need to work at home today…

In today’s increasingly mobile world, it is certainly tempting to use mobile technology to break away from the office and perform work from the comfort of home, a travel hub, or a coffee shop. Those who have responsibility for protecting patient data must recognize that this responsibility does not end at the office door. Good security practices must always be followed.

Sponsored by: RISC

Contact us today for all your compliance needs:

References (2014). What makes a smartphone smart? Retrieved from

Bloomberg Business Week. (2013). How Samsung became the world’s no. 1 smartphone maker. Retrieved from CyberSecurity: 10 Best practices for the small health care environment. Retrieved from

Hill, M. (2010). 5 Terrifying ways your own gadgets can be used to spy on you. Retrieved from

Home Box Office, Inc. (2014). The Wire. Retrieved from

Microsoft. (2014). Safety and security center: Create strong passwords. Retrieved from

Tech Media Network. (2014). Top Ten Reviews: 2014 Best smartphone reviews and comparisons. Retrieved from

U.S. Department of Health & Human Services. (2014). Health Information Privacy: Guidance materials for consumers. Retrieved from

U.S. Department of Justice. (2013). Privacy and civil liberties: Electronic Communications Privacy Act of 1986. Retrieved from

Education, Tip of the Week, Trends & Technology

Part Two of the Practical Security Series: Awareness

A Smartphone is a device that enables you to make a phone call and has many differing types of added capabilities similar to a computer. Emails, playing games, taking photographs, alarm clock, and editing documents are just a few examples that a smartphone is capable of. Smartphones come in many flavors from a multitude of manufacturers, so the term is used here generally to describe a communications device with some traditional computing capabilities.

We all use our smartphones to learn about other people, places, or businesses, but have you ever thought about what your smartphone is revealing about you? As I enjoyed adding new apps in my brand new smartphone, I was asked for permission by the application prior to installing. Like many people, I was fine until I saw that the application required full network access. The browser and other applications needed to send data to the internet. It wanted permission to read phone status and identity by accessing the device ID, etc. In addition, it wanted to read personal information about me by reading my web bookmarks and history. This application, and the unknown company behind it, will know all the URLs that my browser has visited, and all of the browser’s bookmarks. It can even see my Wi-Fi connection and use developmental tools testing in my phone.


In the past, personal digital assistants or PDAs were used as portable organizers to store your contact information, to do list, and has the ability to sync with your desk top computer. Cell phones were only used for making telephone calls. Pagers are wireless telecommunications devices for receiving and displaying numeric or text messages only. With the popularity of smartphones, pagers and PDAs became less popular. Now, it makes more sense to carry an android phone because of its versatility and usefulness. Pagers enjoyed their popularity in the 90s both in healthcare and in illegal drug sales as made popular by the HBO series The Wire. Healthcare, being focused on stability and guaranteed communications, stuck with pagers longer than most industries.

Reasons for buying smartphones include pricing, battery life, camera features (no endorsement implied), limited computing power, social networking support, and the list goes on. Another reason is popularity and ease of use. The Apple iPhone has been incredibly popular because of their charismatic look, high performance score, and image quality of 100% according to the Top Ten Reviews (2014) of the Apple iPhone 5s. However the price of $649.00 is hefty compared to Samsung’s Galaxy S of $199.99. Samsung is known for their gizmos, gadgets, and fun software such as the drama mode for moving pictures. The Top Ten Reviews (2014) for the Galaxy is only at 80% compared to the 100% of the iPhone’s image quality.

But who is snooping for your information?

Popularity aside, we should be asking ourselves how smartphones are being targeted or attacked. Criminals, advertisers, commercial organizations, and the government are the four big categories that come easily to mind. Criminals can install surveillance spyware to record your activities and upload the information to a web-based account. Some spyware can even enable your phone’s microphone and camera to listen and record your location.

An article written way back in 2010 said it perfectly “Thanks to the Bush administration and one Will Smith movie, we all have a fairly justifiable fear of government surveillance” (Hill, 2010). They are referring to modern technology and the hi-tech gadgets. Geofencing is being used by business where a GPS enabled cell phone has a software enabling managers to know where their employees are located through an email alert. Employees are provided with a work cell phone for clocking in and out, recording their breaks, etc.

Just being aware of your actions and existing federal laws is a great start. Read up on the Electronic Communications Privacy Act (ECPA) enacted in 1986 ECPA (18 U.S.C. §§ 2510-22) includes the Wiretap Act, Stored Communications Act, and the Pen Register Act. It can apply to both law enforcement agencies and companies.

Know your Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy for Consumers. Visit the U.S. Department of Health and Human Services for a video on guidance materials for consumers:

General Provisions

The ECPA, as amended, protects wire, oral, and electronic communications while those communications are being made, are in transit, and when they are stored on computers. The Act applies to email, telephone conversations, and data stored electronically.


The ECPA was significantly amended by the Communications Assistance to Law Enforcement Act (CALEA) in 1994, the USA PATRIOT Act in 2001, the USA PATRIOT reauthorization acts in 2006, and the FISA Amendments Act of 2008 (116pp | 303kb | PDF).

For detailed information:

ComplianceSponsored by: RISC Management and Consulting,

Contact us today for all your compliance needs: