HIPAA (Health Insurance Portability and Accountability Act of 1996) is the United States legislation that provides data privacy and security provisions for safeguarding medical information. HIPAA includes very specific requirements for protecting endpoint devices.
As the global leader in mobile security, Zimperium is uniquely positioned to provide insights into the intersection of HIPAA and mobile. The key questions Zimperium’s team most often encounters are the following:
Any security professional will tell you that carbon-based lifeforms (human beings) are the single biggest security risk. People sometimes make really bad decisions, like clicking on that phishing link in email or opening that unknown attachment. As bad as that is on traditional endpoints (that are controlled by IT and often never leave the safe confines of the protected corporate network), the situation is far worse on mobile. Users are the admins on mobile devices… they decide if and when to upgrade vulnerable OS’s and apps, which texts or instant messages to send, which WiFi networks to connect to, which apps to install, etc. Without any visibility into these devices, healthcare security teams are completely exposed to attack, and won’t even know where those attacks are coming from.
In order to meet the HIPAA requirements for secure endpoints, and help ensure texts, messages, emails and files are protected, healthcare organizations must implement the following to protect their endpoints:
|(a)(1)(ii)(D)||Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.|
|(a)(5)(ii)(A)||Install periodic security updates.|
|(a)(5)(ii)(B)||Protection from malicious software. Procedures for guarding against, detecting, and reporting malicious software.|
|(a)(5)(ii)(C)||Enable logging and log alerting on critical systems.|
|(a)(6)(ii)||Standard: Security incident procedures. Implement policies and procedures to address security incidents.|
|(a)(6)(ii)||Implementation specification: Response and Reporting (Required). Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.|
Traditionally, “endpoints” meant servers, desktops and laptops, but now healthcare organizations know that mobile devices must be included in the definition… and must be protected. In fact, the National Cybersecurity Center of Excellence noted that “patient information collected, stored, processed, and transmitted on mobile devices is especially vulnerable to attack.” This applies to HIPAA-related texts, messages and other content, whether stored on the device or sent to and from it.
A 2017 Breach Level Index report on breached records found that across all industries, Healthcare had the largest number of breaches at 25% of the total. At 14%, financial services was second at almost half of healthcare. The Ponemon Institute found that 48% of healthcare IT and IT security practitioners reported a breach involving loss or exposure of patient information in the past year. They also reported one of the biggest threats to be unsecured mobile devices.
To protect mobile devices of healthcare providers and staff against device, network, phishing and malicious application threats, healthcare organizations should implement Mobile Threat Defense (MTD) solutions like Zimperium zIPS. zIPS provides persistent, on-device protection for mobile devices and data in a manner analogous to next-generation antivirus on traditional endpoints. As such, it automatically addresses the HIPAA endpoint requirements listed above.
Mobile apps containing and processing patient data must be secured against attacks as well, even on patient-owned devices. Zimperium has a solution for that use case too, Zimperium zIAP.
Want to learn more about about mobile security and HIPAA, read “Managing Mobile Risk in Healthcare”.