The Office of Civil Rights (OCR) just settled a HIPAA breach case with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) after an employee at a skilled nursing facility run by CHCS lost an iPhone with detailed patient information.

The OCR is the office within the Department of Health and Human Services charged with enforcing HIPAA rules. They’ve been particularly active of late when it comes to medical apps, including some recent guidance on HIPAA and medical apps. Working with the FTC, they also recently put out a toolkit to help medical app developers understand how rules like HIPAA may apply to their products.

In this case, OCR was notified that an employee at a skilled nursing facility run by CHCS lost a facility-issued iPhone that had personal information on hundreds of patients, even including their social security numbers. Inexplicably, the device was not even password protected let alone encrypted.

We’ve done several articles recently on development of secure medical apps. But in addition to these more sophisticated, development-oriented steps, it’s critical to remember that user-related factors (read: things clinicians do that we shouldn’t) are an equally significant vulnerability that have to be addressed.

A medical app security guide from the National Institute of Standards and Technology (NIST) nicely addressed that point (including loss of a mobile device). Some of the user-factors they highlighted that are worth remembering, especially given this action from OCR, included:

  • Losing a device or having one stolen that has PHI on it
  • Logging in to a device with PHI access and then walking away
  • Downloading viruses or malware onto a device that accesses EMRs or other health IT systems
  • Accessing health data via an unsecured network…like maybe at the hotel you’re staying at during a conference
  • Weak passwords – if your password is on this list, change it now

Not only do many of these items pose a risk of data loss, they’re also points of vulnerability for the entire health IT network. Recent attacks on major health systems have shown that hospitals are definitely not off limits here.

Source: National Law Review