“PCT Team,” we frequently hear cried out to us, “is it HIPAA-okay to use my smartphone and laptop in my practice???”
We’re happy to report that the answer is a resounding, “yes!” But first, you need to make sure your snazzy tech devices are prepared to handle client information in a secure and compliant manner by performing a few security tasks.
Fortunately, almost every person can do almost every security task with almost every device without buying anything new.
Performing these security tasks is called, “device hardening.” No, it doesn’t sound very warm and fuzzy. But trust us, we’ve seen it over and over again where a colleague certainly feels warm and fuzzy when they know their devices are properly “hardened” against security issues. They consistently report being able to sleep soundly knowing that a lost computer or errant virus isn’t going to result in having to notify all their clients about a security breach. It’s also great just knowing that you’ve got this important task taken care of.
So even though HIPAA compliance is an ongoing process, and device hardening is not the same as compliance, it is a huge step towards preventing HIPAA-related problems and getting closer to actual compliance. That’s especially true for solo practices, where just hardening a couple personal devices fills in a huge chunk of the practice’s HIPAA Security picture.
Action Item Checklist for “Hardening” Your Gear
Doing the action items in the following two lists will usually get any practice device hardened to the standards set by HIPAA. Sound good? Let’s get moving!
In this article, we don’t explain how to do each of these things. If you are tech-comfortable, then you can likely figure it out with some YouTube searches. Or maybe a friend can help you.
If you want more direct help without having to resort Google, our Device Security Pack contains therapist-friendly howto videos for every action item on every device you are likely to have. It also includes a 1-hour CE course and a HIPAA Security policy template. Get the Device Security Pack, including the CE course that goes with it, here.
These 5 items are mostly set-and-forget. Just make sure you don’t turn them off at all!
- Full-Device Encryption: What if your smartphone and computer scrambled all your data (i.e. encrypted it) before “writing it down” on the device’s hard drive? That would make the info on the device nigh-invulnerable to confidentiality breaches if it got lost or stolen! Your info can achieve this state of nigh-invulnerability through a thing called full-device encryption (sometimes it’s called “full-disk encryption.”)
- Strong device password: Encryption is no good without a strong encryption key. And your device’s password acts as the key to your encryption. So make it strong (the 6-digit PIN codes that smartphones have won’t cut it.) Likewise, putting a password on your device does little good if you don’t also turn on full-device encryption.
- Antivirus/antimalware: You need to keep bad guys out of your devices, and that means keeping viruses and other malware out. So make sure you’ve got antivirus running and updating every day (yes, even on Macs!) (But iPhones and iPads have their own ways of dealing with viruses and can’t use additional antivirus — so no worries there.)
- Active firewall: The firewall is that bit of software that keeps popping up an annoying window asking if you want to let iTunes receive connections from the Internet. It may be mildly annoying, but it’s super important for keeping out bad guys and, sometimes, keeping out viruses. Make sure your device has a firewall turned on (or does something equivalent to a firewall, like iPhones, iPads, and Chromebooks do.)
- Automatic logout/lock: Your device should lock you out after a short period of idle time. This means that if you leave a computer sitting there or your smartphone unlocked, people can’t just walk up to it and start interacting with your programs and files.
These action items might require you do something on a schedule. None of them should be too onerous, though!
- Keep backups, where needed: If you have a device which holds client info that isn’t found anywhere else, you need to keep that info backed up. And if you use an external hard drive or thumb drive to do it, remember to encrypt the external hard drive or thumb drive! (Also, store them “offsite.” E.g. store your computer at home and the computer’s backup at the office.)
- Keep the OS software updated: Security issues evolve all the time. Keeping the device’s software updated helps you stay on top of it.
- Make sure the device isn’t sending client information to places it shouldn’t (e.g. Apple iCloud or Google): Apple products like to be helpful and “synchronize” your app data to your iCloud account. Androids and Chromebooks do this with Google, and Windows might be doing this with your MSN account. Remember that if there is any client info in those apps, then the client info is being sent to Apple servers, Google servers, or Microsoft servers — possibly without the HIPAA-required Business Associate Agreements. Make sure you stop your devices from “syncing” any apps that handle client info — or just get those Business Associate Agreements (hint: Apple definitely won’t do the Business Associate Agreement!)
- Make a separate user account for your practice, where available: Smartphones don’t really do multiple user accounts, but computers do! It’s a good idea to make a separate user account (on devices that allow it) for doing your practice business. This helps prevent a lot of potential errors that can result in security “oopsies.”
When you dig into it, there’s a lot to unpack here about HIPAA standards, breach notification, and other fun stuff like that. And you can do that digging right here on this site (just read our curated articles on HIPAA to get the full picture.)
But the nice thing about device hardening is that whether or not you dig into the “why” parts of it, the “what” parts will work for you. Modern consumer devices are built to support a wide array of HIPAA-friendly security measures. You just have to turn them on. So get to it!
How to Protect Clients and Comply with HIPAA’s Device Security Standards in One Afternoon
Everything you need to get your devices “hardened” and document your security tasks the HIPAA way. Includes a 1-hour CE course, a template HIPAA Security policy, slow-paced how-to videos for every security task on every device you need to harden, and checklist forms for documenting your HIPAA Security tasks!