1) Turn on Full-Device Encryption
1) Turn on Full-Device Encryption
Using full-disk encryption is an amazing way to protect your clients and your practice from privacy breaches. Used properly, it also qualifies your device for the safe harbor in HIPAA’s Breach Notification Rule. Use it everywhere!
Good News!: There is no process necessary for turning encryption on with iPhones and iPads. All you have to do is set a passcode and encryption will come on with it! Mark your BYOD form as a yes (not N/A) to document you’ve confirmed FDE is in place
So for activating encryption with your iPhone or iPad, you need only set a strong passcode.
2) Make a user account for doing IPA business that is separate from your personal user account
2) Make a user account for doing IPA business that is separate from your personal user account
This is not applicable to iPhones or iPads. This one applies to laptop and desktop computers, and to Surface tablets. Other devices cannot make multiple user accounts. If you are working through security instructions for other device types, you may see a video or other instructions here.
3-Password.mp43) Make sure your password is strong
3) Make sure your password is strong
Your device’s password is also the password for its encryption. So be sure to set a strong one! Strong passwords are also a HIPAA standard.
4) Turn on or add anti-virus software
4) Turn on or add anti-virus software
iPhones and iPads do not have antivirus that you can activate. The function of antivirus is primarily performed by the special way that iPhones and iPads manage apps. Mark your BYOD form as a yes (not N/A) to document you’ve confirmed antivirus is in place
5) Activate your firewall
5) Activate your firewall
iPhones and iPads do not have firewalls that you can activate. The function of the firewall is primarily performed by the special way that iPhones and iPads manage apps. Mark your BYOD form as a yes (not N/A) to document you’ve confirmed firewall is in place
5-iOS Updates.mp46) Make sure the operating system is updated
6) Make sure the operating system is updated
It is important that device software be kept up-to-date, because companies issue important security updates frequently. It is also a HIPAA standard that the system software be kept updated.
7-Lockout.mp47) Set the device to logout or lock after a short period of idle time
7) Set the device to logout or lock after a short period of idle time
HIPAA requires that devices automatically log out after you’ve left them idle for some short period of time. This prevents people from walking up to or picking up a device that you’re logged into.
8-Tracking.mp48) Turn on remote tracking
8) Turn on remote tracking
Most mobile devices have software that lets you track their location. This is a very strong measure for being able to recover lost devices or, at least, discover what has happened to lost devices (knowing what happened can be very helpful with security incident investigations.) It works best with smartphones, however, because their cellular phone connections make them much better able to stay connected to the Internet as they move around.
9-Turn off Analytics.mp49-B-Setup iCloud.mp49) Make sure your iPhone or iPad isn't sending client information to Apple everyday
9) Make sure your iPhone or iPad isn't sending client information to Apple everyday
Apple devices, including iPhones and iPads, like to be “helpful” by sending backups of the information on our devices up to iCloud. This is a security problem, because Apple accounts shouldn’t be holding client information for us.
For a deeper dive, check out this video on how to manage iCloud syncing, including how to delete files from iCloud.
10-Backup.mp410) If needed, make a strategy for keeping the device backed up
10) If needed, make a strategy for keeping the device backed up
If your personal device is holding on to information about client care that isn’t also held on devices or services elsewhere, you need to keep it backed up. Maintaining backups of all PHI is a HIPAA standard.
A few examples of data that is often found on personal devices:
Text messages with clients
Emails with clients
Clinical notes about clients
Written reports
Superbills
11) Make sure the device doesn't have any disallowed software on it
11) Make sure the device doesn't have any disallowed software on it
For iPhones and iPads: If the device isn’t jailbroken, it is impossible to install disallowed software. You’re in the clear.
12-Jailbreak.mp412) Make sure the device’s basic security is not compromised
12) Make sure the device’s basic security is not compromised
Many people purposefully jailbreak their iPhone in order to make the device more flexible. Doing this makes the device more vulnerable to security issues, however, so jailbroken devices are not allowed for use in practice work under the Bring Your Own Device Policy.
Report abuse