Page 26 - Part 1 Navigating Electronic Media in a Healthcare Setting
P. 26
SVMIC Navigating Electronic Media in a Healthcare Setting
Mobile healthcare devices often lack robust security controls, are
used to connect to networks via public Wi-Fi and have
considerable potential for theft or loss. If patient privacy violations
and HIPAA penalties are to be avoided, it is essential that mobile
data security risks are thoroughly assessed and addressed.
One of the main aims of HIPAA legislation is to protect the privacy
of patients and health plan members. HIPAA regulations force
healthcare organizations and individual care providers to adopt a
minimum set of standards to protect the privacy of patients and
keep data secure.
Robust mobile data security and HIPAA compliance are not
optional. Failure to comply with HIPAA regulations is likely to be
costly. Fines of up to $1.5 million – per violation category, per year
that the violation has been allowed to persist – can be issued by
the Department of Health and Human Services’ Office for Civil
Rights (HHS). Other federal agencies can issue fines, as can state
attorneys general. There is also the considerable cost of a breach
response to cover if data is potentially exposed.
One of the most fundamental elements of mobile data security is
the risk assessment, a mandatory requirement under the HIPAA
Security Rule. It is possible to construct robust security defenses
by incorporating all of the standard defense measures: firewalls,
anti-virus protection, anti-malware programs, authentication and
password controls, etc. However, unless a full risk assessment has
been conducted, it is impossible to know whether security
vulnerabilities remain.
A risk assessment must cover the entire IT infrastructure: company
policies, administrative processes, physical security controls and
all systems and equipment capable of storing, transmitting or
Page | 26
