HIPAA TIPS: Mobile Device Compliance Part 2
Install and enable encryption
What is encryption?
Encryption is the conversion of data into a form that cannot be read without the decryption key or password.
It is important to encrypt data stored locally on your mobile device (data at rest) and data sent by your mobile device (data in motion) so that it is protected from unauthorized users.
Why should you encrypt data stored on your mobile device?
When you encrypt data stored on your mobile device, you prevent unauthorized access to the data.
Encrypting the data on your mobile device with a valid encryption process consistent with FIPS 140-2 [PDF – 1.4 MB] can help you meet HHS OCR Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals.
How can you encrypt data that is stored on your mobile device?
Encryption methods vary with the device. You will need to research your mobile device’s encryption capability. If your mobile device does not come with built-in encryption, you will need to download an encryption application (app). Research mobile apps before downloading them to your mobile device to verify they are from a trusted source.
Why should you encrypt data sent by your mobile device?
When you encrypt data in motion, you prevent unauthorized virtual access to the data while it is in transit (e.g., accessing an EHR system or lab test results using your mobile device). Consider carefully the risks associated with sending text messages containing protected health information. To improve the protection of information being sent in a text message, consider using secure messaging which is encrypted instead of SMS (Short Message Service) which is not.
For additional security when texting, disable SMS (Short Message Service) preview on your device. If you do not have SMS preview disabled on your device then others can view text messages on your device’s locked screen without authenticated or authorized access.
How can you encrypt data that is sent by your mobile device?
There are several different ways to encrypt data in motion, such as a virtual private network (VPN) or a secure browser connection.
The National Institute of Standards and Technology (NIST) has several Special Publications regarding encryption processes for data in motion, including SP 800-52 [PDF – 3.2 MB] and SP 800-77 [PDF – 255 KB]. SP 800-52 has information about transport layer security (TLS). TLS protects data as it transmits across the Internet. You have seen encryption of data in motion if you have seen “https” in the web address of a website. SP 800-77 has information about virtual private networks (VPNs).
Source: HealthIT.gov