Mobile devices make it convenient for healthcare providers to work outside the office. But connecting to public WiFi networks—whether at a coffee shop, airport, or hotel—introduces risks to protected health information (PHI). Here’s how to identify unsecured networks and take the necessary steps to protect PHI.
Understanding WiFi Security
Public WiFi networks can be classified as secured or unsecured, but neither guarantees safety:
- Unsecured networks allow anyone to connect without authentication, such as a password.
- Secured networks require additional steps, like accepting terms, creating an account, or entering a password.
The concern with both is the same: malicious actors may intercept data or gain access to your device. For healthcare providers, this means the potential exposure of PHI—a violation of your HIPAA obligations. No public WiFi network is entirely secure, so taking proactive steps to protect patient data is critical.
How to Protect PHI When Using Public WiFi
As a HIPAA-covered entity, you must secure PHI regardless of the technology or network. Ideally, avoid accessing PHI on public WiFi altogether. If you must, follow these four steps to reduce risk.
1. Use a VPN and Secure Browser Connections
A Virtual Private Network (VPN) encrypts all data transmitted between your device and the internet, making it inaccessible to unauthorized parties—even on public WiFi. Many healthcare organizations provide VPNs for their employees, but if yours doesn’t, choose a reputable service with robust encryption standards.
Additionally, ensure the websites you access use secure browser connections. Look for “https://” in the address bar, which indicates that data exchanged between your browser and the website is encrypted. Modern browsers like Chrome also flag unencrypted sites with a “Not Secure” warning—an added layer of protection.
2. Encrypt Data on Your Mobile Devices
Most modern mobile devices offer built-in encryption. For example, Apple devices automatically encrypt data when a passcode is enabled. That said, it’s a good idea to double-check your settings and ensure this feature is activated.
Encryption adds another layer of security, protecting data even if your device is compromised or stolen.
3. Use Strong Passwords and Authentication
Passwords remain a first line of defense against unauthorized access. Follow these best practices:
- Use complex passwords that combine letters, numbers, and special characters.
- Avoid reusing passwords across devices or accounts.
- Enable Two-Factor Authentication (2FA) whenever possible for an added layer of security.
Strong password hygiene helps protect PHI from opportunistic attacks over public WiFi.
4. Maintain Physical Control of Your Devices
The risks of working in public spaces aren’t limited to digital threats. Physical security is equally important:
- Always lock your screen when stepping away from your device, even briefly.
- Be aware of your surroundings to avoid “shoulder surfing,” where someone nearby views sensitive information on your screen.
- Keep devices like laptops and smartphones with you to prevent theft.
Small, practical habits can go a long way in ensuring the security of PHI.
Are Mobile Hotspots Safer than Public WiFi?
Mobile hotspots provide an alternative to public WiFi, often with stronger security. When you use a hotspot, your device connects to the internet through your mobile carrier’s network rather than a shared public one. Using a mobile hotspot instead of public WiFi can significantly reduce the risk of data interception.
However, there are still considerations for using mobile hotspots securely:
- Set a Strong Password: Protect your hotspot with a unique password to prevent unauthorized access.
- Use Encryption Settings: Most devices offer WPA3 or WPA2 encryption for mobile hotspots. Enable this in your settings.
- Monitor Data Usage: Keep an eye on your device to ensure no unauthorized connections use your hotspot.
- Turn It Off When Not in Use: Disable your hotspot when you finish using it to minimize exposure.
While mobile hotspots offer enhanced privacy, they aren’t entirely risk-free. Use the same security practices you would with any device handling PHI.
Protect PHI When Working in Public
Protecting PHI requires a proactive approach to security. Healthcare providers and organizations can foster a culture of security awareness by emphasizing the importance of best practices when working in public spaces.
For more information, the HealthIT.gov Mobile Device Privacy and Security initiative is a good first stop. Their resources provide actionable steps for safeguarding PHI on the go.