LDES mobile applications are currently designed for Apple iOS-based “iDevices” running iOS 9.0 or later: iPhone, iPad and iPod Touch. The closed-architecture of iOS provides more security than other operating systems. The engine that powers the LDES App has a higher level of security going beyond standard Apple security protocols. Thus, meeting LDES’s strict “Technical Safeguards” towards full HIPAA compliance. The application has also been used in projects that require FISMA (Federal Information Security Management Act and ISO9001 (International Organization for Standardization) compliance.
Key Benefits to the LDES Anesthesia Software App
- End-user friendly and efficient data entry
- Ensures accurate data capture and eliminates redundancy
- Maximum security – meets "Technical Safeguards" for HIPAA Privacy and Security
- Real time data upload
- Offline data collection (out of service, no Wi-Fi)
- Massively scalable
With iDevices there is no way to achieve a security setup that can earn you safe harbor from the HIPAA Breach Notification Rule. Instead, the security approach is a strategic increase in vigilance around protecting the device and the ePHI on it. Fortunately, Apple provides a number of ways to help us do this.
Administrative and Physical Safeguards:
HIPAA Privacy and Security for an iDevice not only requires “Technical Safeguards”, but also the implementation of the following “Administrative” and “Physical Safeguards”.
- Documenting policies to protect ePHI on mobile devices
- Develop and distribute information about how to keep mobile devices safe
- Document procedures on steps to take in the event that a device goes missing or has been accessed by someone without authorization
How to Protect and Secure electronic Health Information (ePHI) When Using a Mobile Device
1. Install and enable encryption to protect ePHI stored or sent by mobile devices:
The iOS device provides a dedicated AES 256-bit hardware encryption for all data stored on the device, data in transmission, and additional encryption of email and application data with enhanced data protection. If a user accesses secured online applications from the device, such as a cloud-based EHR from the device, the encryption for the application will also work on the mobile device. You don’t have to encrypt all the data on your iPhone to be HIPAA-compliant, especially if you make use of the other security features like remote tracking, remote wipe, and good passcodes.
2. Touch ID & Passcodes:
On your iOS device change your 4-digit pin to a stronger passcode. Go to Settings / Touch ID & Passcodes and Disable Simple Passcode. Enter a passcode between 7 – 10 alphanumeric characters. The next time you go to unlock the phone, enter the new longer passcode.
Use these passcode settings to maximize passcode security:
- Set Require Passcode to “Immediately”.
- Enable Erase Data to automatically erase the device after ten failed passcode attempts. This is a powerful tool for preventing security breaches.
- Use Touch ID, a biometric tool, to create fingerprint authentication to confirm the user’s identity. Turn on iPhone Unlock, this will allow Fingerprint authentication which is less onerous than entering a password each time.
- Under section “ALLOW ACCESS WHEN LOCKED”, disable the use of “Siri” when the phone is locked. You don’t want this voice-activated feature to be used to access information on the device when the phone is locked. The solution is to not use Siri to dictate protected health information. Just make sure you type it.
3. Remote Tracking:
Go to Settings > iCloud > Find My iPhone/iPad/iPod. As long as the device is connected to Wi-Fi or has a cellular signal, it can be located using the iCloud feature. If the phone is ever lost or stolen, log in to iCloud with the Apple ID used to set up the account and put the device in “Lost Mode.” This allows the device to be remotely locked or even erased. For added security, turn on Restrictions to prevent anyone from turning off “Find My iPhone” by going to Settings > General > Restrictions On.
4. Remote Wipe:
If the device is permanently lost, the ultimate defense against a security breach is to remotely delete all data on the device. To accomplish this task, the iPhone or iPad must be connected to Wi-Fi or have a cellular signal. If you need to take this approach, be aware of is that once the device is “wiped” it can no longer be “tracked.” For best results, backup the device often, so that the data can be restored to a new device, or the old one, once it’s found. One caveat, however: once you wipe the device, you can no longer use the Remote Tracking feature to find it! Wiping the device means saying goodbye to it.
5. LDES App Secure Notifications – Disable SMS (Short Message Service) Preview:
If you do not have SMS preview disabled on your device then others can view text messages on your device’s locked screen. Your SMS notifications from the LDES mobile app should not allow the message to be displayed until the user’s identity is confirmed with fingerprint authentication or an alphanumeric passcode.
- Go to SETTINGS > Notifications > Messages > Enable Allow Notifications > Enable Show on Lock Screen > Disable Show Previews
- Go to SETTINGS > Notifications > LDES > Enable Allow Notifications > Enable Show on Lock Screen
6. Auto-Login to Apps:
Enabling the mobile device’s time-out or automatic logoff feature can prevent a threat to the confidentiality and security of ePHI. Though it is inconvenient entering passcode each time, enabling fingerprint authentication improves efficiency. IMPORTANT: The native Mail application on iOS devices cannot disable the auto-login feature (meaning it remembers your password). For this reason, mails accessed from mobile devices have a higher risk of security breach. A HIPAA-compliant way of accessing email from an iOS device would be to login through a browser, making sure to logout after each session.
7. File Sharing:
Applications like Dropbox or Google Drive can put your data at risk. The two main points to know about these types of applications are 1) they have not signed Business Associate Agreements agreeing to keep PHI secure and protected and 2) they allow other users to connect and trade files which can also enable unauthorized users to access your information without your knowledge. Reduce this known risk easily by simply not using file-sharing applications for PHI on mobile devices. Caution when using iPhoto if you have sharing turned on. All images of ePHI are taken within the app. However, if you take snapshots outside of the LDES app, they will be shared in iPhoto if sharing is turned on.
8. Firewalls and Antivirus:
Apple's closed architecture of iOS makes it not possible to get a firewall or antivirus onto the device. What makes it secure is that Apple iOS uses a closed architecture to create restrictive iOS security, which makes this less of a concern than it might be on another operating system. However, it’s important to stay current with software updates, as Apple is continually patching security holes as they become apparent.
Remember that products and services are not HIPAA compliant or non-compliant, only we (covered entities and business associates) are. HIPAA compliance is a process of identifying risks, making a plan to reduce them and recording these policies and procedures required by the government.
Summary of Online Mobile Device Privacy and Security
- Use a password or other user authentication
- Install and activate wiping and/or remote disabling to erase the data on your mobile device if it is lost or stolen.
- Disable and do not install or use file-sharing applications.
- Install and enable a firewall to block unauthorized access. Not needed in iOS – Apple devices.
- Install and enable security software to protect against malicious applications, viruses, spyware, and malware-based attacks.
- Keep your security software up to date by staying current with iOS software updates, as Apple is continually patching security holes as they become apparent.
- Research mobile applications (apps) before downloading.
- Maintain physical control of your mobile device. Know where it is at all times to limit the risk of unauthorized use.
- Use adequate security to send or receive health information over public Wi-Fi networks.
- Delete all stored health information on your mobile device before discarding it.
If you need technical help, engage your IT department or manager for assistance.
HealthIT.gov has published guidance on using mobile devices in clinical practices. Here is a complete list of recommended security features to protect mobile devices. A strategic approach to earn you safe harbor from the HIPAA Breach Notification Rule would be to be increasingly vigilant in protecting any mobile device that may have protected health information on it.
LDES App Security