Mobile Device Security

Posted by BAS - 12 July, 2012

header-picture

Consider the following scenario: Joe Tech, HR Benefits Manager for ABC, Inc. accesses his work email on his personal smartphone via webmail. Joe carries his smartphone everywhere and frequently responds to ABC work emails from his smart phone before and after work hours. Joe’s phone is stolen from his car while Joe is at the gym. If Joe’s smartphone contains Protected Health Information (PHI) or permits access to PHI, ABC Inc.’s group health plan may have experienced a HIPAA HITECH breach, triggering reporting requirements and opening the door for a HHA OCR Audit.

Every entity should establish a policy to address employee use of personal devices for official employer business. Some employers simply prohibit the use personal devices to access company networks. Other organizations develop what are generally referred to as Bring Your Own Device “BYOD” Policies. There are several considerations in developing a BYOD policy. They include:

1. Limiting Devices: Consider limiting the types of devices you will support in order to limit your organization’s exposure. For example, you could require the phone to have encryption or remote data-wipe capabilities. Limiting the devices can also reduce the impact on your IT team, allowing your IT Team to become experts in how to protect your data and networks in the event of loss or theft of the mobile device.

2. Mandating Certain Behaviors: Whatever your expectations, make your policy clear. Consider requiring all mobile devices to be password protected. Require employees to notify the IT team immediately upon loss or theft of the device.

3. Limiting Employees: Evaluate the security risks associated with each type of role in the organization and determine in advance whether or not the BYOD policy will be available to that role. In considering which roles will be supported by the BYOD policy, be mindful of running afoul of Fair Labor Standards Act(FLSA) issues for non-exempt employees.

4. Enterprise Level Risk Assessment: Document your thought process, being sure to articulate not only the final policy decisions but also the risks and benefits of allowing employees to use their personal devices for accessing your data and networks. Make sure the documentation is incorporated into your HIPAA Risk Analysis documentation for future reference.

Mobile devices remain a hot topic in HIPAA Privacy and Security as well as HR Compliance. For more assistance in making sure your BYOD policy does not violate HR compliance laws, contact PR@BASusa.com.

Topics: MyEnroll360 Security


Recent Posts

Question of the Week - Mid-Year Enrollment for Health Coverage

read more

OCR Reports to Congress on HIPAA Compliance and Breaches of Unsecured Protected Health Information

read more

Find your QELs in MyEnroll360

read more