This week we have a client who is trying to decide whether they are going to supply mobile phones for their employees vs. having them use their own (Bringing Your Own Device, or BYOD).
The question was, “We are using cloud based apps to store PHI, and there wouldn’t be any data stored locally on the phones. So, if the only PHI/PII data is in an app that requires a password to access, are we at risk of a breach and does being able to wipe the data off the phone really matter since all PHI is housed on the cloud?”
Here is a list of questions that we came up with for the company to be HIPAA Compliant with their cloud provider:
- You would have to have a BA/Subcontractor agreement in place with the cloud company
- You should ask to audit their policies and procedures. This should cover where the encryption keys are stored, who has access to them, how often they are updated. (Remember according to the Common Agency provision in HIPAA, you are REQUIRED to make sure your subcontractors are compliant. This is a great way to make sure they are compliant. If they don’t have privacy and security policies and procedures, RUN AWAY, do not pass go, do not collect $200!)
- How are you going to be transmitting information to the provider? Does the provider have a valid SSL/TLS license so the information is encrypted in transit. (Make sure they have updated their systems since the Heartbleed issue, and if they have, make sure you’ve updated all your passwords!)
- How and who are they going to contact in the event of a breach. Make sure this is covered in the BA/Subcontractor Agreement.
- HIPAA requires a minimum of 128-bit encryption; we recommend 256-bit. Most providers are using 256-bit encryption these days.
And here is what they should require of their employees:
- Have a clear BYOD policy, and make sure your employees read, understand, follow, and sign an acknowledgement they agree to the terms of the policy. This will save you a lot of headaches in case there is a lost phone, the employee leaves, or is fired. CYA is the name of the game people!
- How often are you requiring password changes for your employees? This is usually your most vulnerable point. Make sure you require often. I would suggest every 90 days… 3 months. Passwords get fatigued very quickly!
- For this client, all the information is stored on the cloud. Make sure that you have the ability to lock out the employee, or lock out access to the system in the event the phone is lost, the employee quits or is terminated.
- Make sure the system requires a login every time the program is opened? This function should never be disabled by the employee!!! I know, I know, putting in passwords is cumbersome, but so is contacting everyone of your clients and telling them their PHI/PII has been compromised, and paying fines. Make your choice – which sounds like a bigger pain?
- Is there a time out function on the phone? The answer to this question should be yes, and it should be enabled at all times. I require a password to use my phone at all times. Yes, it is cumbersome… and that leads to the next point
- Make sure that all phones are encrypted and password protected. But since there isn’t any PHI stored on the phone itself, the employer can decide if they want to have the ability to erase the phone. As the owner of 2 lost iPhones, I will tell you that the ability to blow that phone up remotely is a great/necessary security feature.
- Enable or use phone-tracking software like LoJack, Find my iPhone, or something similar.
This is by no means everything that you need to think of, but this will get you started. Anyone else have any other thoughts? You can email me here, and if it makes the cut, I will add it to the list.
Don’t forget folks, I do this every week, so you can signup in the right tool bar and subscribe to my blog. If you have any questions or comments, you can email me here, and maybe your question will make the blog!
Stay HIPAA Compliant friends, and let’s all stay off the HHS Wall of Shame.
