Medicaid Enterprise Systems Conference 2012

Transcription

1 Medicaid Enterprise Systems Conference 2012 Best Practices for Using HIT and HIEs to Keep PHI Secure in an Increasingly Mobile and Technical World Presenters: Charles Sutton, Senior Executive Health Product Line Ira J Rothman, MBA, CPHIMS, CIPP/US/IT/E Senior Vice President - Privacy Official irarothman@maximus.com Moderator: Michael R. Chowning, PMP South Carolina

2 X4: Best Practices for Using HIT and HIEs to Keep PHI Secure in an Increasingly Mobile & Technical World Sharing Information with Members, 2012 Style Charles Sutton, Senior Executive Health Product Line Medicaid Enterprise Systems Conference August 23, 2012

3 Todays Technology Creates Tremendous Opportunity Information is not only available, but accessible Modern MMIS contains a wealth of information HIE connects with the entire health ecosystem SOA architecture enables sharing through standards based web services Internet provides access to just about anything Mobile devices mean instant access, anywhere Copyright 2012 Accenture All rights reserved. 3

4 Connecting With Members Has Not Always Been A Focus Engaging Members in their own care is what s next Focus has historically been on Providers Most programs have limited Member interactions Assign/locate PCP Health/disease management Complaints Engaging Medicaid Members can improve the experience and help to optimize health care Using technology, Members can self-enable, achieving the benefit with Medicaid efficiency Copyright 2012 Accenture All rights reserved. 4

5 But This Is Medicaid, What of the Digital Divide Divide remains, but mobile changes everything The rise of mobile is changing the story. Groups that have traditionally been on the other side of the digital divide in basic internet access are using wireless connections to go online. Among smartphone owners, young adults, minorities, those with no college experience, and those with lower household income levels are more likely than other groups to say that their phone is their main source of internet access. Copyright 2012 Accenture All rights reserved. 5

6 Do Members Even Want to Participate? Yes, and digital channels are preferred Copyright 2012 Accenture All rights reserved. 6

7 If You Build It, Will They Come? Yes, but the interaction must be compelling The challenge to engaging members in the process is more about the what than the how Utility is important, but convenience is the key Navigating the healthcare system is daunting even for the experienced can we make it more friendly? Copyright 2012 Accenture All rights reserved. 7

8 What Types of Services Will Entice Member Participation? Members want to be engaged in their own care Lots of possibilities: Benefit/coverage information Treatment options Plan-of-Care progress/ management Prescription info and drug interactions Immunization registry Copyright 2012 Accenture All rights reserved. 8

9 Of Course, There Are Challenges The technology is here, but challenges remain Privacy & Security Concerns Must be Addressed Broad access and multi-channel heightens concern Influx of new users may put strain on network and computing capacity The Network continues to evolve It may take time before all desired data is available A compelling roadmap for release of capability will be key to steady rate of adoption Considerable outreach/promotion may be necessary Potential for increase in fraudulent activity Copyright 2012 Accenture All rights reserved. 9

10 Sharing Information with Members, 2012 Style Sharing information with Members is a new frontier Technology provides us tremendous opportunities to engage Medicaid Members in the health services The rise of mobile internet spans the digital divide Not only will they engage, but they expect it Interactions must be meaningful to gain acceptance Mobile access opens new doors, but also create new and challenging security & privacy concerns Engaging Members in the process can positively impact health outcomes Copyright 2012 Accenture All rights reserved. 10

11 Wrapping Up Questions, Comments, Thoughts? Copyright 2012 Accenture All rights reserved. 11

12 Medicaid Enterprise Systems Conference 2012 X4: Best Practices for Using HIT and HIEs to Keep PHI Secure in an Increasingly Mobile and Technical World Ira J Rothman, MBA, CPHIMS, CIPP/US/IT/E Senior Vice President - Privacy Official irarothman@maximus.com August 23,

13 Agenda v Use of technology in the community v Privacy & Security Risks v Best Practices for Communication v Mobile Device Security Best Practices 13

14 Use of technology in the community 14

15 Use of technology in the community 15

16 Changes in Cell Phone Internet Use by Demographic April 2009 April 2012 Change All cell owners 31% 55% +24 % Age Household Income < $30, $30,000 - $49, $50,000 - $74, $75, Source: Pew Research Center s Internet & American Life Project March 15 April 3,

17 Privacy & Security Risks Over the past three years, about 21 million patients have had their medical records exposed in data security breaches that were big enough to require they be reported to the federal government. Mobile devices in the form of laptops and other unencrypted devices were a large source. Five general causes in the report of large breaches Theft Loss of electronic media or paper records containing PHI Unauthorized access to, use, or disclosure of PHI Human error Improper disposal 17

18 Communication with the member population Social Media Facebook Twitter Web US Mail Mobile Device 18

19 Best Practices for Social Media Use social media for outreach and communication Frequently remind members to not post personal information 19

20 Best Practices for Social Media Web page communication with member Encrypted communication required if plan is going to allow member to enter personal data Don t respond back with PHI by redact the communication unless encrypted Answer general questions in social media Encourage members to contact call center Remind members is not secure 20

21 Best Practices for Social Media ü Use a blog to communicate to members with low privacy risk. ü Monitor postings for private information frequently. 21

22 Secure using a web page Secure connection - HTTPS Member message 22

23 Mobile Device Security Best Practices ü Use a Strong password at least 8 characters include letters, numbers and special characters ü Encrypt the data on your device use device features or software Motion Stored on the device ü Don t send health information on an open network Is not safe to use the network in the coffee shop or hotel unless the connection is through a https web page or a VPN ü Lock the device automatically after a set time 3 to 10 minutes to prevent others from accessing if lost ü Use a unique user logon and password Utilize a unique password to minimize risk if stolen 23

24 Mobile Device Security Best Practices (continued) ü Enable remote wipe Use software from the device or cell network vendor ü Keep the mobile device with you Theft and loss is large source of breaches ü Use a screen shield to keep prying eyes out ü Don t share the mobile device with others Gives others access to your data ü Install a firewall Often part of an anti-virus package purchase 24

25 Mobile Device Security Best Practices (continued) ü Install anti-virus software and other malicious software protection ü Update the security software Take the time to download and install Stay current ü Know what to do if the device is lost or stolen Know who to call to report a loss ü Use a secure wi-fi network Home or office network with passwords ü Use software that is reputable 25

26 Provider Mobile Device Best Practices ü Provide a secure network connection to access PHI ü Laptop and mobile device encryption to FIPS certification ü Utilize two factor authentication Something they know and something they have ü Texting is not secure Many physicians will text because it is expedient Joint Commission will not allow text messages in medical record Text message are not encrypted on the phone ü Create strong privacy and security policies and procedures Enforce policies with sanctions Required by HIPAA Have a sanctions policy defining penalties for serious violations, e.g., removing PHI from the facility against policy, unauthorized access. 26

27 Questions 27